diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
index 4ac3b006e3..3541e3d380 100644
--- a/install/kubernetes/cilium/templates/cilium-configmap.yaml
+++ b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -608,7 +608,9 @@ data:
{{- if .Values.encryption.strictMode.enabled }}
enable-encryption-strict-mode: {{ .Values.encryption.strictMode.enabled | quote }}
- encryption-strict-mode-cidr: {{ .Values.encryption.strictMode.cidr | quote }}
+ encryption-strict-mode-node-cidrs: {{ .Values.encryption.strictMode.nodeCIDRList | join " " | quote }}
+
+ encryption-strict-mode-pod-cidrs: {{ .Values.encryption.strictMode.podCIDRList | join " " | quote }}
encryption-strict-mode-allow-remote-node-identities: {{ .Values.encryption.strictMode.allowRemoteNodeIdentities | quote }}
{{- end }}
diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
index c00e9af831..4661c16f56 100644
--- a/install/kubernetes/cilium/values.yaml
+++ b/install/kubernetes/cilium/values.yaml
@@ -794,17 +794,21 @@ encryption:
# This option is only effective when encryption.type is set to "wireguard".
nodeEncryption: false
- # -- Configure the WireGuard Pod2Pod strict mode.
+ # -- Configure the WireGuard strict mode.
strictMode:
- # -- Enable WireGuard Pod2Pod strict mode.
+ # -- Enable WireGuard strict mode.
enabled: false
+
+ # -- podCIDRList for the WireGuard strict mode.
+ podCIDRList: []
- # -- CIDR for the WireGuard Pod2Pod strict mode.
- cidr: ""
+ # -- nodeCIDRList for the WireGuard strict mode.
+ nodeCIDRList: []
# -- Allow dynamic lookup of remote node identities.
# This is required when tunneling is used or direct routing is used and the node CIDR and pod CIDR overlap.
- allowRemoteNodeIdentities: false
+ # This is also required when control-plane nodes are exempted from node-to-node encryption.
+ allowRemoteNodeIdentities: true
ipsec:
# -- Name of the key file inside the Kubernetes secret configured via secretName.