Traffic Encryption with Antrea

    IPsec encyption works for all tunnel types supported by OVS including Geneve, GRE, VXLAN, and STT tunnel.

    Note that GRE is not supported for IPv6 clusters (IPv6-only or dual-stack clusters). For such clusters, please choose a different tunnel type such as Geneve or VXLAN.

    IPsec requires a set of Linux kernel modules. Check the required kernel modules listed in the strongSwan documentation. Make sure the required kernel modules are loaded on the Kubernetes Nodes before deploying Antrea with IPsec encyption enabled.

    If you want to enable IPsec with Geneve, please make sure is included in the kernel. For Ubuntu 18.04, kernel version should be at least . For Ubuntu 20.04, kernel version should be at least 5.4.70.

    To deploy the latest version of Antrea (built from the main branch), get the IPsec deployment yaml at:

    1. https://raw.githubusercontent.com/antrea-io/antrea/main/build/yamls/antrea-ipsec.yml

    Antrea leverages strongSwan as the IKE daemon, and supports using pre-shared key (PSK) for IKE authentication. The deployment yaml creates a Kubernetes Secret antrea-ipsec to store the PSK string. For security consideration, we recommend to change the default PSK string in the yaml file. You can edit the yaml file, and update the psk field in the antrea-ipsec Secret spec to any string you want to use. Check the Secret spec below:

    After updating the PSK value, deploy Antrea with:

    1. kubectl apply -f antrea-ipsec.yml

    By default, the deployment yaml uses GRE as the tunnel type, which you can change by editing the file. You will need to change the tunnel type to another one if your cluster supports IPv6.

    WireGuard

    WireGuard encryption requires wireguard kernel module be present on the Kubernetes Nodes. wireguard module is part of mainline kernel since Linux 5.6. Or, you can compile the module from source code with a kernel version >= 3.10. documents how to install WireGuard together with the kernel module on various operating systems.

    First, download the . To deploy a released version of Antrea, pick a version from the list of releases. Note that WireGuard support was added in release 1.3.0, which means you can not pick a release older than 1.3.0. For any given release <TAG> (e.g. v1.3.0), get the Antrea deployment yaml at:

    To deploy the latest version of Antrea (built from the main branch), get the deployment yaml at:

      To enable WireGuard encryption, the trafficEncryptionMode config parameter of antrea-agent to wireGuard. The trafficEncryptionMode config parameter is defined in antrea-agent.conf of antrea ConfigMap in the Antrea deployment yaml:

      1. kubectl apply -f antrea.yml