diff --git a/modules/nw-ovn-ipsec-disable.adoc b/modules/nw-ovn-ipsec-disable.adoc index 8793757fc293..a5a5704cc81e 100644 --- a/modules/nw-ovn-ipsec-disable.adoc +++ b/modules/nw-ovn-ipsec-disable.adoc @@ -8,6 +8,11 @@ As a cluster administrator, you can disable IPsec encryption only if you enabled IPsec after cluster installation. +[IMPORTANT] +==== +After disabling IPsec, you must delete the associated IPsec daemonsets pods. If you do not delete these pods, you might experience issues with your cluster. +==== + .Prerequisites * Install the OpenShift CLI (`oc`). @@ -23,24 +28,47 @@ $ oc patch networks.operator.openshift.io/cluster --type=json \ -p='[{"op":"remove", "path":"/spec/defaultNetwork/ovnKubernetesConfig/ipsecConfig"}]' ---- -. Optional: You can increase the size of your cluster MTU by `46` bytes because there is no longer any overhead from the IPsec ESP header in IP packets. +. To find the name of the OVN-Kubernetes data plane pod that exists on the `master` node in your cluster, enter the following command: ++ +[source,terminal] +---- +$ oc get pods -n openshift-ovn-kubernetes -l=app=ovnkube-master +---- ++ +.Example output +[source,terminal] +---- +ovnkube-master-5xqbf 8/8 Running 0 28m +... +---- -. Verify that IPsec is disabled on your cluster: +. Verify that the `master` node in your cluster has IPsec disabled by entering the following command. The command output must state `false` to indicate that the node has IPsec disabled. + [source,terminal] ---- -$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master- \ - ovn-nbctl --no-leader-only get nb_global . ipsec +$ oc -n openshift-ovn-kubernetes -c nbdb rsh ovnkube-master- \// <1> + ovn-nbctl --no-leader-only get nb_global . ipsec ---- +<1> Replace `` with the random sequence of letters, such as `5xqbf`, for the data plane pod from the previous step. + +. To remove the IPsec `ovn-ipsec` daemonset pod from the `openshift-ovn-kubernetes` namespace on the node, enter the following command: + --- -where: +[source,terminal] +---- +$ oc delete daemonset ovn-ipsec -n openshift-ovn-kubernetes <1> +---- +<1> The `ovn-ipsec` daemonset configures IPsec connections for east-west traffic on the node. -``:: Specifies the random sequence of letters for a pod from the previous step. --- +. Verify that the `ovn-ipsec` daemonset pod was removed from the all nodes in your cluster by entering the following command. If the command output does not list the pod, the removal operation is successful. + -.Example output -[source,text] +[source,terminal] +---- +$ oc get pods -n openshift-ovn-kubernetes -l=app=ovn-ipsec ---- -false ----- \ No newline at end of file ++ +[NOTE] +==== +You might need to re-run the command for deleting the pod because sometimes the initial command attempt might not delete the pod. +==== + +. Optional: You can increase the size of your cluster MTU by `46` bytes because there is no longer any overhead from the IPsec ESP header in IP packets. diff --git a/modules/nw-ovn-ipsec-enable.adoc b/modules/nw-ovn-ipsec-enable.adoc index 4a187f2002cb..8b252d3f1d98 100644 --- a/modules/nw-ovn-ipsec-enable.adoc +++ b/modules/nw-ovn-ipsec-enable.adoc @@ -11,8 +11,8 @@ As a cluster administrator, you can enable IPsec encryption after cluster instal .Prerequisites * Install the OpenShift CLI (`oc`). -* Log in to the cluster with a user with `cluster-admin` privileges. -* You have reduced the size of your cluster MTU by `46` bytes to allow for the overhead of the IPsec ESP header. +* Log in to the cluster as a user with `cluster-admin` privileges. +* You have reduced the size of your cluster maximum transmission unit (MTU) by `46` bytes to allow for the overhead of the IPsec ESP header. .Procedure @@ -42,22 +42,11 @@ ovnkube-master-hsgmm 6/6 Running 0 122m ovnkube-master-qcmdc 6/6 Running 0 122m ---- -. Verify that IPsec is enabled on your cluste by running the following command: +. Verify that IPsec is enabled on your cluster by entering the following command. The command output must state `true` to indicate that the node has IPsec enabled. + [source,terminal] ---- -$ oc -n openshift-ovn-kubernetes rsh ovnkube-master- \ +$ oc -n openshift-ovn-kubernetes rsh ovnkube-master- \ <1> ovn-nbctl --no-leader-only get nb_global . ipsec ---- -+ --- -where: - -``:: Specifies the random sequence of letters for a pod from the previous step. --- -+ -.Example output -[source,text] ----- -true ----- \ No newline at end of file +<1> Replace `` with the random sequence of letters, `fvtnh`, for a data plane pod from the previous step.