Skip to content

Add support for Native Routing mode with Multi-Pool IPAM and IPsec encryption #39559

Closed
#40460
Closed
Add support for Native Routing mode with Multi-Pool IPAM and IPsec encryption#39559
#40460
Labels
area/multipoolAffects Multi-Pool IPAMfeature/ipsecRelates to Cilium's IPsec featurekind/enhancementThis would improve or streamline existing functionality.
@pippolo84

Description

@pippolo84
pippolo84
opened on May 15, 2025

Multi-Pool IPAM is compatible with IPsec encryption only when running in tunnel mode (see #39442).

To make Multi-Pool and IPsec compatible with native routing mode too, we need to handle each additional SecondaryCIDRs of the CiliumNodes, installing the proper XFRM policies and states. Doing that guarantees the correct encryption of the egress traffic toward pods with addresses carved out of non-default IP pools.

At the moment, the traffic is dropped by the XFRM framework and the related stat XfrmOutPolBlock is increased each time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/multipoolAffects Multi-Pool IPAMfeature/ipsecRelates to Cilium's IPsec featurekind/enhancementThis would improve or streamline existing functionality.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions