recently I have started learning Kubernetes and it’s amazing. I investigated the connectivity between the pods and drew to a conclusion. Why isn’t there the possibility to encrypt the traffic inside a cluster or a node. I’ve seen some features like HostPort and HostNetwork and they had no real usage until now. Wireguard uses this to its advantage!
Wouldnt it be awesome if Kubernetes had the ability to use Wireguard to secure the communication between pods and nodes or even the master itself? It would create a hole secure intercommunication inside a cloud provider or your own Kubernetes setup.
Wireguard is pretty simple. Just get an open port, give it a public key, create a private key to encrypt your data stream and push it to the other endpoint.
Example configuration of the server:
PrivateKey = yAnz5TF+lXXJte14tji3zlMNq+hd2rYUIgJBgB3fBmk=
ListenPort = 51820
Just make sure the Ports are above 32727 so it won’t collide with the nodePorts or LoadBalancer
PublicKey = xTIBA5rboUvnH4htodjb6e697QjLERt1NAB4mZqp8Dg=
AllowedIPs = service-cluster-ip
Example configuration of the client (pod, node or whatever):
PrivateKey = gI6EdUSYvn8ugXOt8QQD6Yc+JyiZxIhp3GInSWRfWGE=
ListenPort = 21841
PublicKey = HIgo9xNzJMWLKASShiTqIybxZ0U3wGLiUeJ1PKf8ykw=
Endpoint = router/gatway (masternode?)
AllowedIPs = 0.0.0.0/0 or even the pod.ips, its pretty easy to get
Wireguard works within the kernel so it’s just an additional workload for the container. In case I am reposting this or someone else had a similar solution I am sorry. I just wanted to share an idea that might be a future feature of Kubernetes.
I am really excited to hear your opinion on this matter.