github.com/cilium/cilium@v1.16.2/Documentation/security/network/encryption.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _gsg_encryption: 8 9 ************************************ 10 Transparent Encryption 11 ************************************ 12 13 Cilium supports the transparent encryption of Cilium-managed host traffic and 14 traffic between Cilium-managed endpoints either using IPsec or WireGuard®: 15 16 .. toctree:: 17 :maxdepth: 1 18 :glob: 19 20 encryption-ipsec 21 encryption-wireguard 22 23 .. admonition:: Video 24 :class: attention 25 26 You can also see a demo of Cilium Transparent Encryption in `eCHO episode 79: Transparent Encryption with IPsec and WireGuard <https://www.youtube.com/watch?v=vj7M-t9MK6s>`__. 27 28 Known Issues and Workarounds 29 ============================ 30 31 Egress traffic to not yet discovered remote endpoints may be unencrypted 32 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 33 34 To determine if a packet needs to be encrypted or not, transparent encryption 35 relies on the same mechanisms as policy enforcement to decide if the destination 36 of an outgoing packet belongs to a Cilium-managed endpoint on a remote node. 37 This means that if an endpoint is allowed to initiate traffic to targets outside 38 of the cluster, it is possible for that endpoint to send packets to arbitrary 39 IP addresses before Cilium learns that a particular IP address belongs to a 40 remote Cilium-managed endpoint or newly joined remote Cilium host in the cluster. 41 In such a case there is a time window during which Cilium will send out the 42 initial packets unencrypted, as it has to assume the destination IP address is 43 outside of the cluster. Once the information about the newly created endpoint 44 has propagated in the cluster and Cilium knows that the IP address is an 45 endpoint on a remote node, it will start encrypting packets using the encryption 46 key of the remote node. 47 48 One workaround for this issue is to ensure that the endpoint is not allowed to 49 send unencrypted traffic to arbitrary targets outside of the cluster. This can 50 be achieved by defining an egress policy which either completely disallows 51 traffic to ``reserved:world`` identities, or only allows egress traffic 52 to addresses outside of the cluster to a certain subset of trusted IP 53 addresses using ``toCIDR``, ``toCIDRSet`` and ``toFQDN`` rules. 54 See :ref:`policy_examples` for more details about how to write network 55 policies that restrict egress traffic to certain endpoints. 56 57 Another way to mitigate this issue is to set ``encryption.strictMode.enabled`` 58 to ``true`` and the expected pod CIDR as ``encryption.strictMode.cidr``. 59 This encryption strict mode enforces that traffic exiting a node 60 to the set CIDR is always encrypted. Be aware that information 61 about new pod endpoints must propagate to the node before the node can send 62 traffic to them. 63 64 Encryption strict mode has the following limitations: 65 66 - Only WireGuard encryption is supported. 67 - The pod CIDR and therefore the encryption strict mode CIDR must be IPv4. 68 IPv6 traffic is not protected by the strict mode and can be leaked. 69 - To disable all dynamic lookups, you must use direct routing mode and the 70 node CIDR and pod CIDR must not overlap. Otherwise, 71 ``encryption.strictMode.allowRemoteNodeIdentities`` must be set to ``true``. 72 This allows unencrypted traffic sent from or to an IP address 73 associated with a node identity.