Add WireGuard host2host and LB encryption #19401
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brb
added
sig/datapath
|
/test-1.23-net-next |
|
test-1.23-net-next |
brb
force-pushed
the
pr/gandro+brb/wg-host-encryption-v2
branch
from
f7e67e9
to
6224144
Compare
brb
changed the title
brb
removed
the
release-blocker/1.12
Closed
This was referenced Apr 26, 2022
gandro
force-pushed
the
pr/gandro+brb/wg-host-encryption-v2
branch
from
6224144
to
1ee8cd2
Compare
This comment was marked as resolved.
This comment was marked as resolved.
github-actions
bot
added
the
stale
brb
removed
the
stale
|
This pull request has been automatically marked as stale because it |
github-actions
bot
added
the
stale
github-actions
bot
removed
the
stale
This comment was marked as resolved.
This comment was marked as resolved.
github-actions
bot
added
the
stale
brb
added
pinned
brb
force-pushed
the
pr/gandro+brb/wg-host-encryption-v2
branch
2 times, most recently
from
37d5c58
to
f321011
Compare
|
/test |
2 tasks
2 tasks
gandro
force-pushed
the
pr/gandro+brb/wg-host-encryption-v2
branch
from
f321011
to
92667af
Compare
pchaigno
approved these changes
Jan 23, 2023
7 tasks
|
Got reviews from majority of folks. Marking as ready-to-merge. |
brb
added
the
ready-to-merge
2 tasks
giorio94
added a commit
to giorio94/cilium
that referenced
this pull request
Feb 20, 2023
Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of cilium#19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
pchaigno
pushed a commit
that referenced
this pull request
Feb 20, 2023
Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of #19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
sayboras
pushed a commit
to sayboras/cilium
that referenced
this pull request
Feb 27, 2023
[upstream commit 5463073] Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of cilium#19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
sayboras
pushed a commit
to sayboras/cilium
that referenced
this pull request
Feb 27, 2023
[upstream commit 5463073] Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of cilium#19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
sayboras
pushed a commit
that referenced
this pull request
Feb 28, 2023
[upstream commit 5463073] Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of #19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
sayboras
pushed a commit
that referenced
this pull request
Feb 28, 2023
[upstream commit 5463073] Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of #19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
YutaroHayakawa
pushed a commit
to YutaroHayakawa/cilium
that referenced
this pull request
Mar 17, 2023
Currently, wireguard encryption is not performed when the nodes have ipv6-only addresses, since it relies on the tunnel_endpoint field of the ipcache map (which is not set in such case). This limitation has been removed with the reworking performed as part of cilium#19401. As for previous versions, this commit adds a check to prevent the agent from starting in this configuration. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com> Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
gandro
added a commit
to gandro/cilium
that referenced
this pull request
May 30, 2023
This commit fixes an outdated comment in our Helm `values.yaml` file. Originally, node-to-node encryption was a beta feature only supported with IPSec. However, since then, we have removed the IPSec support (cilium#21333), but have added support in WireGuard instead (cilium#19401). Fixes: 5e98037 ("cmd: Unhide node-encryption flag") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
michi-covalent
pushed a commit
to michi-covalent/cilium
that referenced
this pull request
May 30, 2023
This commit introduces the following encryption tests which check whether there is no unencrypted traffic leakage: * Node to remote pod * Pod to remote node * Node to remote node Also, it refactors the previous encryption test case to make it reusable by the new test cases. One important detail is that the tcpdump filter is appended with "and (tcp or icmp)", as otherwise in the case of the node-to-node test case the tcpdump would capture encrypted UDP WireGuard traffic. Tested manually with cilium#19401 (until #merge-cilium-and-cilium-cli). Signed-off-by: Martynas Pumputis <m@lambda.lt>
julianwiedmann
pushed a commit
that referenced
this pull request
May 31, 2023
This commit fixes an outdated comment in our Helm `values.yaml` file. Originally, node-to-node encryption was a beta feature only supported with IPSec. However, since then, we have removed the IPSec support (#21333), but have added support in WireGuard instead (#19401). Fixes: 5e98037 ("cmd: Unhide node-encryption flag") Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for node-to-node encryption to WireGuard. To achieve this, we've completely changed the WireGuard integration in the datapath. Previously, WireGuard support was implemented by marking packets to be encrypted in
"from-container"and redirecting it to the WireGuard tunnel via a hostns IP rule. This worked fine for traffic originating in pods - but for node-to-node traffic, we need to redirect the packets on the outgoing network interface. Thus, the new implementation attachesbpf_hostto the outgoing device and redirects packets to the WireGuard tunnel from there. See commit descriptions for more details.On the agent side, there are also changes to the implementation. Previously, the datapath assumed that any IPCache entry with an associated tunnel endpoint would need encryption. To determine if we need to encryption traffic to a remote endpoint, we now rely on the
encrypt_keyfield instead. This allows us to more precisely track if traffic to a particular destination needs to be encrypted, and allows certain nodes to opt out of encryption (see below). The agent code has been updated to populate the CiliumEndpoint and CiliumNode CRDs with a static non-zeroEncryptKeyvalue if encryption for those resources is enabled.Additional points worth noting:
ensure worker nodes are always able to communicate with the kube-apiserver node, in order to be able to manage their own encryption key. See docs for more details.
✔️ https://github.com/cilium/cilium/actions/runs/3884806887/jobs/6627856819
ℹ️ Please see commit messages for many more details
Joint work between @gandro and @brb
Follow-ups, to be done in separate PRs: