Cilium Transparent Encryption with IPsec and WireGuard

Transcript

Welcome to the Cilium Flash episode on transparent encryption with IPSec. It’s not a feature that everyone is familiar with, but it’s a very cool feature, and it’s something that many customers across many different industries need. It’s the ability to encrypt data in transit within your Kubernetes cluster.

One of the main reasons you might want to do transparent encryption will be to avoid this type of man-in-the-middle attack by encrypting the traffic between two nodes, and typically, it will be the traffic between two pods that you might want to encrypt. So, let’s start with IPSec.

First, let’s just check our environment. We’ve got three worker nodes and one control plane node, and we’re using Kind for this particular demo. As you can see, we’ve disabled the default CNI, and that’s because we’re going to be installing Cilium.

To start with, we’re going to create a Kubernetes secret with a randomly generated pre-shared key, which is this PSK value you can see here. The Kubernetes secrets represents the Cilium IPSec configuration, with 3 being the key ID, which is just an identifier of the key. We then have the encryption algorithm, which is AES GCM, the PSK that we’ve created before, and finally, the key size, which is 128. That IPSec configuration is essentially shared across all the agents, all the Cilium agents.

We are now ready to install Cilium using the IPSec encryption feature, and you can see during the installation logs that the Cilium CLI found the Cilium IPSec keys, the encryption secret, and it’s using this as part of the configuration. It just takes a minute or so to install.

Once that’s done, we’re just going to check that Cilium has been properly configured with a cilium status command, and we’ll also check the configuration to make sure that IPSec was configured as expected. And here it is. Now we’re ready to go and verify that traffic is being encrypted.

Now, first, we’re going to run a shell in one of the Cilium agents, and then we’re going to be installing tcpdump to check the traffic. It only takes a few seconds. Because we’re using Kind, Cilium is by default deployed in tunnel mode, so that’s why we’ve got the cilium_vxlan interface. We’re using VXLAN here, and what we are doing is actually filtering based on this interface and looking at ESP traffic, which is the encapsulation protocol for IPSec. And what you can see here is you can actually see traffic between our Cilium agents being sent over the IPSec tunnel.

Now, let’s verify the IPSec policy configuration. We can check with the following command that traffic from the pod CIDR on the node where the agent is running to the policy CIDRs on the three other nodes will be sent down the IPSec tunnels. So, 10.4.244.0 to 10.2.244.0 to 10.244.3.0, the traffic to these destinations, to these policy CIDRs, will be going down three different tunnels, and that’s how pod-to-pod traffic is encrypted.

Now, if we want to rotate the key, it’s going to be a very similar process to what we did before. We’re going to create a new PSK value and then we’re going to patch existing Kubernetes secrets. And automatically, that key will be distributed, and there will be a short period of time where both keys are valid. And as you can see, we’re also iterating the key ID as part of the process, and you can see that the PSK value is associated.

Next, we’re going to look at a different method to apply transparent encryption using Cilium: WireGuard. WireGuard is described as an extremely simple, yet fast and modern VPN that utilizes state-of-the-art cryptography. It’s supposed to be faster, simpler, linear, and more useful than IPSec. It’s been available with Cilium since version 1.10, and let’s have a look at it in the lab.

The first thing to check with WireGuard is whether your kernel is recent enough. You need at least version 5.6 to run WireGuard. We’re on 5.15, so we are fine. We are now ready to install Cilium with WireGuard.

Now, WireGuard has some impressive performances and it’s very simple, but it’s not compatible with some of the layer 7 features that Cilium can offer. So, you can see that layer 7 proxy is disabled due to WireGuard encryption. You can’t use WireGuard encryption alongside layer 7 policy rules, for example.

Unlike with IPSec, we didn’t have to create a key to enable WireGuard with Cilium. Each node automatically creates its own encryption key pair and distributes it using annotations. And you can see this annotation just here. Then, each node’s public key is used by other nodes to decrypt and encrypt traffic from and into Cilium-managed endpoints running on that node.

We can log into the agents and double-check that we’ve got our public key here, and we’re using the WireGuard interfaces. You can also see that we have three peers because we are peering with three other nodes. And you can also see port 51871, which is the endpoint port.

Finally, let’s verify that traffic is also encrypted and sent down through the WireGuard interfaces. We’re going to use tcpdump to listen to traffic on the WireGuard interface and see if traffic is being sent down this encrypted tunnel. We’re going to deploy a couple of pods. These pods are attached to two different nodes, so we are testing inter-node communication. And we are going to deploy these pods first.

It took a few seconds. Now, we’re just going to run a ping from pod-worker1 to pod-worker2, and you’ll see that traffic is being sent across the WireGuard tunnels. If we look back at the tcpdump, you can see the traffic to 10.244.2.49 is being sent to the WireGuard interface. And that’s literally all you need to enable transparent encryption between your pods.

I hope this video is helpful. I hope you understood the differences between using IPSec and WireGuard and how to encrypt data in transit in your Kubernetes cluster using Cilium transparent encryption. Thanks for watching.