Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Weave Password Encryption for KOps deployment #699

Open
summerswallow-whi opened this issue May 25, 2018 · 4 comments

Comments

@summerswallow-whi
Copy link

commented May 25, 2018

I've investigated using password encryption with weave. If you've followed the instructions for deploying kubernetes with KOps, the default deployment uses weave. Weave has a capability of employing password encryption. Once activated. The encryption in transit is seamless.

Here are the steps so far

  1. Install Kubernetes with KOps per the z2jh documentation steps.
  2. (optional) run kubectl --namespace kube-system get pods and verify there are weave-net pods
  3. Create a password file. I did openssl rand -hex 128 >weave-passwd
  4. Create a Kubernetes Secret in the kube-system namespace
    kubectl create secret -n kube-system generic weave-passwd --from-file=./weave-passwd
  5. Verify the secret kubectl -n kube-system describe secret weave-passwd
    This is very important, the secret name (e.g. weave-passwd) and the Data label must be the same. Apparently the Data tag is picked up from the filename in the manner I created the secret. Someone more skilled with Kubernetes could possible genericize and explain this process better. I have seen in the weave documentation others use the --from_literal flag instead of the --from-file flag
  6. Edit the weave-net daemonset. I used kubectl edit --namespace=kube-system daemonset weave-net
    Add the following to the spec.template.spec:
        - name: WEAVE_PASSWORD
          valueFrom:
            secretKeyRef:
              key: weave-passwd
              name: weave-passwd

Here key and name should be the same and should match the name of the Kubernetes Secret
I'm thinking there is a one line kubectl command to accomplish step 5. I could use some help from a more experience Kubernetes person to boil this step down.
7) (optional) run kubectl --namespace kube-system get pods again and verify new pods are created.

That's pretty much in. Then complete the installation of JH via the remainder of the documentatation

@summerswallow-whi

This comment has been minimized.

Copy link
Author

commented May 25, 2018

To verify it is properly riunning
after a get pods command execute:
kubectl exec -n kube-system weave-net-<pod> -c weave -- /home/weave/weave --local status

You should get something like:

       Version: 2.3.0 (up to date; next check at 2018/05/25 22:56:17)

        Service: router
       Protocol: weave 1..2
           Name: 76:ce:c9:79:52:1c(ip-10-2-0-149.us-west-2.compute.internal)
     Encryption: enabled
  PeerDiscovery: enabled
        Targets: 3
    Connections: 3 (2 established, 1 failed)
          Peers: 3 (with 6 established connections)
 TrustedSubnets: none

        Service: ipam
         Status: ready
          Range: 100.96.0.0/11
  DefaultSubnet: 100.96.0.0/11

and note the encryption status is enabled

@summerswallow-whi

This comment has been minimized.

Copy link
Author

commented May 29, 2018

To patch it:
kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]'
The preceeding replaces step 6 above

To remove encryption:
kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]'

@summerswallow-whi

This comment has been minimized.

Copy link
Author

commented May 29, 2018

"Peace of mind" testing can be had by monitoring
tcpdump -A port 6783 on the any node running a JH pod

@summerswallow-whi

This comment has been minimized.

Copy link
Author

commented May 31, 2018

I've update the documentation in a pull request at #707

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.