This repository was archived by the owner on Jun 29, 2022. It is now read-only.
Add encryption to in-cluster pod traffic#911
Merged
Conversation
invidian
reviewed
Sep 7, 2020
assets/charts/control-plane/calico-host-protection/templates/host-protection.yaml
Outdated
Show resolved
Hide resolved
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
6cd5126 to
beb2608
Compare
knrt10
changed the title
knrt10
requested review from
iaguis
and removed request for
johananl and
surajssd
invidian
suggested changes
Sep 7, 2020
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
2 times, most recently
from
a58f31e to
8b50f72
Compare
johananl
reviewed
Sep 7, 2020
assets/terraform-modules/aws/flatcar-linux/kubernetes/variables.tf
Outdated
Show resolved
Hide resolved
Contributor
|
We should also change the MTU size when enabling this as mentioned here. Would encryption be picked up by the Calico chart on lokoctl apply? Would the MTU? |
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
8b50f72 to
7f07add
Compare
invidian
suggested changes
Sep 7, 2020
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
7f07add to
51687a4
Compare
Member
If encryption is enabled and Calico does not align MTU by default, then I guess we can do it automatically? |
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
5 times, most recently
from
c526052 to
2239711
Compare
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
2239711 to
ef0e9bb
Compare
invidian
reviewed
Sep 8, 2020
Member
invidian
left a comment
invidian
left a comment
There was a problem hiding this comment.
Just one more question, as I'm not sure if we don't change the existing behavior with failsafe ports.
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
ef0e9bb to
ed891c6
Compare
Member
|
I think we should make it a habit to include a "how to test" section in PRs. I just tried using this feature using Flatcar |
johananl
reviewed
Sep 28, 2020
assets/terraform-modules/aws/flatcar-linux/kubernetes/variables.tf
Outdated
Show resolved
Hide resolved
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
6cef80f to
cab4983
Compare
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
2 times, most recently
from
be1b98d to
e4758b4
Compare
invidian
suggested changes
Sep 30, 2020
assets/terraform-modules/aws/flatcar-linux/kubernetes/variables.tf
Outdated
Show resolved
Hide resolved
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
2 times, most recently
from
db862da to
7cb540b
Compare
Felixconfig should be part of calico charts and not calico-host-protection. This change is required for encrypting in-cluster pod traffic. This also introduces failsafeInboundHostPorts as a variable. Signed-off-by: knrt10 <kautilya@kinvolk.io>
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
2 times, most recently
from
844d1ca to
a5a5eb4
Compare
invidian
suggested changes
Sep 30, 2020
Member
invidian
left a comment
invidian
left a comment
There was a problem hiding this comment.
Just some last nits, otherwise LGTM.
assets/terraform-modules/aws/flatcar-linux/kubernetes/variables.tf
Outdated
Show resolved
Hide resolved
added 5 commits
September 30, 2020 18:31
Previously we used CNI network MTU in terraform, but now using default as Physical network MTU. Signed-off-by: knrt10 <kautilya@kinvolk.io>
Signed-off-by: knrt10 <kautilya@kinvolk.io>
Calico v3.15+ support WireGuard and if enabled it encrypts in-cluster pod traffic across nodes. Signed-off-by: knrt10 <kautilya@kinvolk.io>
Signed-off-by: knrt10 <kautilya@kinvolk.io>
Signed-off-by: knrt10 <kautilya@kinvolk.io>
knrt10
force-pushed
the
knrt10/encypting-cluster-traffic
branch
from
a5a5eb4 to
7f891d8
Compare
invidian
approved these changes
Sep 30, 2020
|
|
||
| disk_iops = var.disk_iops | ||
|
|
||
| network_mtu = 1480 |
Member
There was a problem hiding this comment.
I think this commit could be merged with the one changing the code.
|
|
||
| enable_tls_bootstrap = true | ||
|
|
||
| encrypt_pod_traffic = true |
Member
There was a problem hiding this comment.
Docs can be committed with the implementation.
iaguis
approved these changes
Sep 30, 2020
Contributor
iaguis
left a comment
iaguis
left a comment
There was a problem hiding this comment.
LGTM. We should mention in the release notes that we've changed the meaning of the network_mtu parameter.
Contributor
Author
|
Thank you all for the reviews. Merging now. |
arianvp
reviewed
Oct 29, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Calico v3.15+ support wireguard and if enabled it encrypts in-cluster
pod traffic across nodes.
Signed-off-by: knrt10 kautilya@kinvolk.io
Release Notes
default FelixConfigurationwhile upgrading from 0.4.1network_mtuchanged from CNI network MTU to Physical network MTU.bpfLogLevelwill be briefly set fromInfotoOff.calicochart upgrade andcalico-host-protectionchart: