kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10037 from h3poteto/iss-9753 

Add WireGuard support for Calico CNI
This commit is contained in:
Kubernetes Prow Robot 2020-10-11 06:10:47 -07:00 committed by GitHub
parent 5266619970 b8524205f7
commit 6f85cd98c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 37 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/networking/calico.md
View File

@ -56,7 +56,7 @@ To enable this mode in a cluster, add the following to the cluster spec:
crossSubnet: true
```
In the case of AWS, EC2 instances have source/destination checks enabled by default.
When you enable cross-subnet mode in kops 1.19+, it is equivalent to:
When you enable cross-subnet mode in kops 1.19+, it is equivalent to:
```yaml
networking:
calico:
@ -93,6 +93,19 @@ It is possible to configure Calico to use Typha by editing a cluster and adding
typhaReplicas: 3
```
### Configuring WireGuard
{{ kops_feature_table(kops_added_default='1.19', k8s_min='1.16') }}
Calico supports WireGuard to encrypt pod-to-pod traffic. If you enable this options, WireGuard encryption is automatically enabled for all nodes. At the moment, kops installs WireGuard automatically only when the host OS is *Ubuntu*. For other OSes, WireGuard has to be part of the base image or installed via a hook.
For more details of Calico WireGuard please refer the [Calico Docs](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic).
```yaml
networking:
calico:
wireguardEnabled: true
```
## Getting help
For help with Calico or to report any issues:

3
k8s/crds/kops.k8s.io_clusters.yaml
View File

@ -2197,6 +2197,9 @@ spec:
description: TyphaReplicas is the number of replicas of Typha to deploy
format: int32
type: integer
wireguardEnabled:
description: 'WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic (default: false)'
type: boolean
type: object
canal:
description: CanalNetworkingSpec declares that we want Canal networking

5
nodeup/pkg/model/networking/calico.go
View File

@ -21,6 +21,7 @@ import (
"k8s.io/kops/nodeup/pkg/model"
"k8s.io/kops/upup/pkg/fi"
"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
)
// CalicoBuilder configures the etcd TLS support for Calico
@ -38,6 +39,10 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error {
return nil
}
if b.Distribution.IsUbuntu() {
c.AddTask(&nodetasks.Package{Name: "wireguard"})
}
// @check if tls is enabled and if so, we need to download the client certificates
if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() {
name := "calico-client"

3
pkg/apis/kops/networking.go
View File

@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct {
TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"`
// TyphaReplicas is the number of replicas of Typha to deploy
TyphaReplicas int32 `json:"typhaReplicas,omitempty"`
// WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic
// (default: false)
WireguardEnabled bool `json:"wireguardEnabled,omitempty"`
}
// CanalNetworkingSpec declares that we want Canal networking

3
pkg/apis/kops/v1alpha2/networking.go
View File

@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct {
TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"`
// TyphaReplicas is the number of replicas of Typha to deploy
TyphaReplicas int32 `json:"typhaReplicas,omitempty"`
// WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic
// (default: false)
WireguardEnabled bool `json:"wireguardEnabled,omitempty"`
}
// CanalNetworkingSpec declares that we want Canal networking

2
pkg/apis/kops/v1alpha2/zz_generated.conversion.go
View File

@ -1343,6 +1343,7 @@ func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in *
out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled
out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort
out.TyphaReplicas = in.TyphaReplicas
out.WireguardEnabled = in.WireguardEnabled
return nil
}
@ -1370,6 +1371,7 @@ func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *
out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled
out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort
out.TyphaReplicas = in.TyphaReplicas
out.WireguardEnabled = in.WireguardEnabled
return nil
}

3
upup/models/bindata.go
View File

@ -13100,6 +13100,9 @@ spec:
# Enable / Disable source/destination checks in AWS
- name: FELIX_AWSSRCDSTCHECK
value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}"
# Enable WireGuard encryption for all on-the-wire pod-to-pod traffic
- name: FELIX_WIREGUARDENABLED
value: "{{ .Networking.Calico.WireguardEnabled }}"
securityContext:
privileged: true
resources:

3
upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
View File

@ -3937,6 +3937,9 @@ spec:
# Enable / Disable source/destination checks in AWS
- name: FELIX_AWSSRCDSTCHECK
value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}"
# Enable WireGuard encryption for all on-the-wire pod-to-pod traffic
- name: FELIX_WIREGUARDENABLED
value: "{{ .Networking.Calico.WireguardEnabled }}"
securityContext:
privileged: true
resources:

2
upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
View File

@ -858,7 +858,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann
"k8s-1.7": "2.6.12-kops.1",
"k8s-1.7-v3": "3.8.0-kops.2",
"k8s-1.12": "3.9.6-kops.1",
"k8s-1.16": "3.16.3-kops.1",
"k8s-1.16": "3.16.3-kops.2",
}
{