Traffic Encryption inside a cluster?

security

#1

Hello Community,

recently I have started learning Kubernetes and it’s amazing. I investigated the connectivity between the pods and drew to a conclusion. Why isn’t there the possibility to encrypt the traffic inside a cluster or a node. I’ve seen some features like HostPort and HostNetwork and they had no real usage until now. Wireguard uses this to its advantage!

Wouldnt it be awesome if Kubernetes had the ability to use Wireguard to secure the communication between pods and nodes or even the master itself? It would create a hole secure intercommunication inside a cloud provider or your own Kubernetes setup.

Wireguard is pretty simple. Just get an open port, give it a public key, create a private key to encrypt your data stream and push it to the other endpoint.

Example configuration of the server:

[Interface]
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820

Just make sure the Ports are above 32727 so it won’t collide with the nodePorts or LoadBalancer

[Peer]
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = service-cluster-ip

Example configuration of the client (pod, node or whatever):

[Interface]
PrivateKey = gI6EdUSYvn8ugXOt8QQD6Yc+JyiZxIhp3GInSWRfWGE=
ListenPort = 21841

[Peer]
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = router/gatway (masternode?)
AllowedIPs = 0.0.0.0/0 or even the pod.ips, its pretty easy to get

Wireguard works within the kernel so it’s just an additional workload for the container. In case I am reposting this or someone else had a similar solution I am sorry. I just wanted to share an idea that might be a future feature of Kubernetes.

I am really excited to hear your opinion on this matter.

Best regards,

Breedi


#2

Neat idea! :slight_smile:

Many customers I have worked with want to selectively enable encryption via e.g. Envoy (or Istio) and enforce which Pods can communicate at all also using Network Policies.

There’s also this guide for node-to-node WireGuard configuration for those who may be interested.

Since Pods come and go, perhaps an Operator could be useful here, to help set things up for inter-Pod communication.

Have you deployed this and seen that it works as intended?