| title | description |
|---|---|
Encrypt in-cluster pod traffic |
Enable WireGuard for state-of-the-art cryptographic security between pods for Calico clusters. |
Enable WireGuard to secure on-the-wire, in-cluster pod traffic in a {{site.prodname}} cluster.
{{ site.prodname }} automatically creates and manages WireGuard tunnels between nodes providing transport-level security for on- the-wire, in-cluster pod traffic. WireGuard provides {% include open-new-window.html text='formally verified' url='https://www.wireguard.com/formal-verification/' %} secure and {% include open-new-window.html text='performant tunnels' url='https://www.wireguard.com/performance/' %} without any specialized hardware. For a deep dive in to WireGuard implementation, see this {% include open-new-window.html text='whitepaper' url='https://www.wireguard.com/papers/wireguard.pdf' %}.
This how-to guide uses the following {{site.prodname}} features:
- Felix configuration resource with WireGuard configuration parameters
- Install and configure calicoctl
- Verify the operating system(s) running on the nodes in the cluster {% include open-new-window.html text='support WireGuard' url='https://www.wireguard.com/install/' %}.
- WireGuard in {{site.prodname}} requires node IP addresses to establish secure tunnels between nodes. {{site.prodname}} can automatically detect IP address of a node using IP Setting and IP autodetection method in calico/node resource.
- Set
IP(orIP6) environment variable toautodetect. - Set
IP_AUTODETECTION_METHOD(orIP6_AUTODETECTION_METHOD) to an appropriate value. If there are multiple interfaces on a node, set the value to detect the IP address of the primary interface.
- Set
Note: WireGuard in {{site.prodname}} does not support IPv6 at this time. Also, encryption using WireGuard is not supported if
CALICO_NETWORKING_BACKEND=none(e.g. managed Kubernetes platforms EKS, AKS and GKE). {: .alert .alert-info}
- Install WireGuard
- Enable WireGuard for a cluster
- Disable WireGuard for an individual node
- Verify configuration
- Disable WireGuard for a cluster
Install WireGuard on cluster nodes using {% include open-new-window.html text='instructions for your operating system' url='https://www.wireguard.com/install/' %}. Note that you may need to reboot your nodes after installing WireGuard to make the kernel modules available on your system.
Use the following instructions for these operating systems that are not listed on the WireGuard installation page. {% tabs %} label:EKS,active:true <% To install WireGuard on the default Amazon Machine Image (AMI):
sudo yum install kernel-devel-`uname -r` -y
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y
sudo curl -o /etc/yum.repos.d/jdoss-wireguard-epel-7.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
sudo yum install wireguard-dkms wireguard-tools -y%> label:OpenShift <% To install WireGuard for OpenShift v4.3:
- Create MachineConfig for WireGuard.
cat <<EOF > mc-wg-worker.yaml
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 10-kvc-wireguard-kmod
spec:
config:
EOF- Create base Ignition config.
cat <<EOF > ./wg-config.ign
{
"ignition": { "version": "2.2.0" },
"systemd": {
"units": [{
"name": "require-kvc-wireguard-kmod.service",
"enabled": true,
"contents": "[Unit]\[email protected]\n[Service]\nType=oneshot\nExecStart=/usr/bin/true\n\n[Install]\nWantedBy=multi-user.target"
}]
}
}
EOF- Configure files.
FAKEROOT=$(mktemp -d)
git clone https://github.com/kmods-via-containers/kmods-via-containers
cd kmods-via-containers
make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/
cd ..
git clone https://github.com/realgaurav/kvc-wireguard-kmod
cd kvc-wireguard-kmod
make install DESTDIR=${FAKEROOT}/usr/local CONFDIR=${FAKEROOT}/etc/
cd ..-
Configure RPMs for kernel-core, kernel-devel and kernel-modules for the host kernel (can be found by running uname -r on the host). Update
$FAKEROOT/etc/kvc/wireguard-kmod.conffor the RPM location. -
Get RHEL Entitlement data from your own RHEL8 system.
[your-rhel8-host] # tar -czf subs.tar.gz /etc/pki/entitlement/ /etc/rhsm/ /etc/yum.repos.d/redhat.repo- Copy the contents in the workspace and use the following command to add it to the MachineConfig.
tar -x -C ${FAKEROOT} -f subs.tar.gz- Get filetranspiler to generate the usable machine-config.
git clone https://github.com/ashcrow/filetranspiler
./filetranspiler/filetranspile -i ./wg-config.ign -f ${FAKEROOT} --format=yaml --dereference-symlinks | sed 's/^/ /' | (cat mc-wg-worker.yaml -) > mc-wg.yaml- With with the KUBECONFIG set, run the following command to apply the MachineConfig created.
oc create -f mc-wg.yaml%> {% endtabs %}
Note: Nodes that do not support WireGuard will not be secured by WireGuard tunnels, even if traffic running on the node to and from the pods goes to nodes that do support WireGuard. {: .alert .alert-info}
Enable WireGuard encryption across all the nodes using the following command.
calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'For OpenShift, add the Felix configuration with WireGuard enabled under custom resources.
Note: The above command can be used to change other WireGuard attributes. For a list of other WireGuard parameters and configuration evaluation, see the Felix configuration. {: .alert .alert-info}
We recommend that you review and modify the MTU used by Calico networking when WireGuard is enabled to increase network performance. Follow the instructions in the Configure MTU to maximize network performance guide to set the MTU to a value appropriate for your network.
To disable WireGuard on a specific node with WireGuard installed, modify the node-specific Felix configuration. For example:
calicoctl patch felixconfiguration node.<Node-Name> --type='merge' -p '{"spec":{"wireguardEnabled":false}}'To disable encryption for pod traffic on node my-node, use the following command:
calicoctl patch felixconfiguration node.my-node --type='merge' -p '{"spec":{"wireguardEnabled":false}}'With the above command, Calico will not encrypt any of the pod traffic to or from node my-node.
To verify that the nodes are configured for WireGuard encryption, check the node status set by Felix using calicoctl. For example:
$ calicoctl get node <NODE-NAME> -o yaml
...
status:
...
wireguardPublicKey: jlkVyQYooZYzI2wFfNhSZez5eWh44yfq1wKVjLvSXgY=
...
To disable WireGuard on all nodes modify the default Felix configuration. For example:
calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":false}}'