Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add WireGuard to the firewall rules documentation #27170

Merged
merged 2 commits into from Sep 1, 2023
Merged

Add WireGuard to the firewall rules documentation #27170

merged 2 commits into from Sep 1, 2023

Conversation

joestringer
Copy link
Member

  • docs: Word-wrap firewall section
  • docs: Add WireGuard into the firewall rules

@joestringer joestringer requested review from a team as code owners July 31, 2023 23:30
@joestringer joestringer added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.12 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Jul 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Jul 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.1 Jul 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.13.6 Jul 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.12.13 Jul 31, 2023
@joestringer joestringer changed the title Add WireGuard to the firewall rules documentatino Add WireGuard to the firewall rules documentation Jul 31, 2023
@joestringer
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Needs backport from main in 1.12.13 Jul 31, 2023
brb
brb approved these changes Aug 1, 2023
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

learnitall
learnitall previously requested changes Aug 2, 2023
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch, thank you for adding this! I think there are a couple of changes we could make to add more context to this.

  • If WireGuard is enabled with tunnel mode, do users need to open firewall rules for VXLAN/Geneve and WireGuard, or just WireGuard, since packets bypass the VXLAN/Geneve tunnels when WireGuard is enabled? If users only need to open a port for WireGuard, can we add a statement saying so?
  • If users need to open ports for WireGuard and VXLAN/Geneve, can we move the information for WireGuard into its own own paragraph, similar to IPSec?

@joestringer
Copy link
Member Author

@brb can you help to answer the above questions?

@brb
Copy link
Member

brb commented Aug 3, 2023

It's a bit tricky, as it depends on the encryption mode.

  • With encryption.nodeEncryption=true, all traffic flows through the WireGuard tunnel device completely bypassing the VXLAN/Geneve tunnels.
  • With encryption.nodeEncryption=false, the pod-to-pod traffic will bypass the VXLAN/Geneve tunnels, but the host-to-pod flows through the VXLAN/Geneve tunnels.

TL;DR with the node encryption enabled, there is no need to open ports for the VXLAN/Geneve tunnels.

@joestringer joestringer marked this pull request as draft August 3, 2023 18:02
@nebril nebril added this to Needs backport from main in 1.13.7 Aug 10, 2023
@nebril nebril removed this from Needs backport from main in 1.13.6 Aug 10, 2023
@nebril nebril added this to Needs backport from main in 1.14.2 Aug 10, 2023
@nebril nebril removed this from Needs backport from main in 1.14.1 Aug 10, 2023
@joestringer
docs: Word-wrap firewall section
36f89e6 
This just makes it easier for editing. No changes.

Signed-off-by: Joe Stringer <joe@cilium.io>
@joestringer
docs: Add WireGuard into the firewall rules
0bcf37e 
Signed-off-by: Joe Stringer <joe@cilium.io>
@joestringer
Copy link
Member Author

/test

@joestringer joestringer marked this pull request as ready for review August 30, 2023 19:18
@joestringer joestringer requested review from learnitall and removed request for learnitall August 30, 2023 19:19
learnitall
learnitall approved these changes Aug 30, 2023
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Thanks!

@joestringer joestringer merged commit a568868 into main Sep 1, 2023
56 checks passed
@joestringer joestringer deleted the pr/joe/wg-fw-docs branch September 1, 2023 18:28
@jibi jibi mentioned this pull request Sep 4, 2023
Merged
16 tasks
@jibi jibi added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 4, 2023
@jibi jibi mentioned this pull request Sep 4, 2023
Merged
10 tasks
@jibi jibi added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Sep 4, 2023
@michi-covalent michi-covalent moved this from Needs backport from main to Backport done to v1.14 in 1.14.2 Sep 9, 2023
@michi-covalent michi-covalent mentioned this pull request Sep 9, 2023
Merged
@michi-covalent michi-covalent added this to Backport pending to v1.13 in 1.13.8 Sep 9, 2023
@michi-covalent michi-covalent removed this from Needs backport from main in 1.13.7 Sep 9, 2023
@michi-covalent michi-covalent added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Sep 9, 2023
@michi-covalent michi-covalent removed this from Backport pending to v1.13 in 1.13.8 Sep 9, 2023
@michi-covalent michi-covalent added this to Backport done to v1.13 in 1.13.7 Sep 9, 2023
@michi-covalent michi-covalent mentioned this pull request Sep 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@gentoo-root gentoo-root gentoo-root approved these changes

@learnitall learnitall learnitall approved these changes

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.13.7
Backport done to v1.13
1.14.2
Backport done to v1.14
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@joestringer @brb @gentoo-root @learnitall @jibi @michi-covalent