docs

Signed-off-by: Lukas Hoehl <[email protected]>

Author: hown3d

docs/usage/usage.md

@@ -8,9 +8,11 @@ In this document we are describing how this configuration looks like for Cilium
 
 Hubble is a fully distributed networking and security observability platform build on top of Cilium and BPF. It is optional and is deployed to the cluster when enabled in the `NetworkConfig`.
 If the dashboard is not externally exposed
+
 ```
 kubectl port-forward -n kube-system deployment/hubble-ui 8081
 ```
+
 can be used to acess it locally.
 
 ## Example `NetworkingConfig` manifest
@@ -40,17 +42,20 @@ The `bpfSocketLBHostnsOnly.enabled` field describes whether socket LB will be sk
 Setting the field `cni.exclusive` to `false` might be useful when additional plugins, such as Istio or Linkerd, wish to chain after Cilium. This action disables the default behavior of Cilium, which is to overwrite changes to the CNI configuration file.
 
 The `egressGateway.enabled` field describes whether egress gateways are enabled or not (default). To use this feature kube-proxy must be disabled. This can be done with the following configuration in the Shoot:
+
 ```yaml
 spec:
   kubernetes:
     kubeProxy:
       enabled: false
 ```
+
 The egress gateway feature is only supported in gardener with an overlay network (shoot.spec.networking.providerConfig.overlay.enabled: true) at the moment. This is due to the reason that bpf masquerading is required for the egress gateway feature. Once the overlay network is enabled `bpf.masquerade` is set to `true` in the cilium configmap.
 
 The `snatToUpstreamDNS.enabled` field describes whether the traffic to the upstream dns server should be masqueraded or not (default). This is needed on some infrastructures where traffic to the dns server with the pod CIDR range is blocked.
 
 The `policyAuditMode` field describes whether the [policy audit mode](https://docs.cilium.io/en/latest/security/policy-creation/#enable-policy-audit-mode-entire-daemon) is enabled for the entire Cilium Daemon or not (default). When enabled, this will log all dropped packets due to policy enforcement. It is useful for testing your network policies before enforcing them. Policy audit mode can be enabled on the shoot by adding the following configuration:
+
 ```yaml
 apiVersion: cilium.networking.extensions.gardener.cloud/v1alpha1
 kind: NetworkConfig
@@ -59,6 +64,25 @@ policyAuditMode: true
 
 > :warning: When you have enabled the policy audit mode, network policies are NOT enforced but only observed. This means that traffic that would have been denied by a network policy is allowed, but logged as `AUDIT` in Hubble.
 
+### Transparent Encryption
+
+It is possible to enable transparent encryption of Cilium-managed host traffic and traffic between Cilium-managed endpoint.
+Currently only [Wireguard encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/) is supported.
+
+An example cilium networking configuration could look like this:
+
+```yaml
+apiVersion: cilium.networking.extensions.gardener.cloud/v1alpha1
+kind: NetworkConfig
+encryption:
+  enabled: true
+  mode: wireguard
+```
+
+You can enable the feature [`node-to-node encryption`](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/#node-to-node-encryption-beta) of cilium using the `nodeToNodeEnabled` field.
+
+Find the API documentation for encryption [here](/hack/api-reference/cilium.md#cilium.networking.extensions.gardener.cloud/v1alpha1.Encryption)
+
 ## Example `Shoot` manifest
 
 Please find below an example `Shoot` manifest with cilium networking configuration:
@@ -99,4 +123,5 @@ spec:
 ...
 ```
 
- This setup prevents unnecessary node spin-ups and reduces the compute costs in single-node clusters.
+ This setup prevents unnecessary node spin-ups and reduces the compute costs in single-node clusters.
+