Can you chain Cilium on top of other plugins and enable Cilium transparent encryption?

[joestringer]

Q: Can you chain Cilium on top of other plugins such as aws-cni or calico, and enable Cilium transparent encryption?

A: This is not supported currently. Typically the other plugin in this scenario is responsible for underlying connectivity to the network, so it is difficult for Cilium to correctly integrate at that layer to ensure that the traffic is encrypted.

Users who are interested in encryption with Cilium are suggested to avoid chaining on top of other plugins, and install Cilium by itself instead.

[joestringer]

@jrfastab and I had a brief discussion on Slack today about this, our assessment was that we don't identify any fundamental limitations that prevent this from being supported, but it would require significant additional work to implement and fully validate. It would depend on the exact packet paths that are taken through the stack while chaining with a particular other plugin.

Beyond that, from a pure operational perspective it is simpler to have just one plugin in charge of the CNI networking, as it is then easier to debug and pinpoint where networking problems are. As such, it's unlikely that we will work on solving this any time soon. We would accept patches to extend Cilium to support this use case.

[dhruvjain51]

@joestringer - the AWS CNI chaining doc particularly call out IPSec as incompatible with aws cni-chaining. Does the same restriction apply with Wireguard as well?

[joestringer]

The same principle applies in general that the AWS CNI is responsible for networking in that case, so it's hard to guarantee that it will work. You could try it out, and if you find that WireGuard works in your environment chaining with AWS CNI then please report back your findings.

[austince]

For AWS, it seems like they've got a guide for enabling wireguard w/ chaining mode: https://aws.amazon.com/blogs/containers/transparent-encryption-of-node-to-node-traffic-on-amazon-eks-using-wireguard-and-cilium/