From 51e7f2a691887571067d9e58156dfeff41544452 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Sun, 11 Oct 2020 15:53:07 +0900 Subject: [PATCH 1/5] Add wireguardEnabled option in networking Calico --- k8s/crds/kops.k8s.io_clusters.yaml | 3 +++ pkg/apis/kops/networking.go | 3 +++ pkg/apis/kops/v1alpha2/networking.go | 3 +++ 3 files changed, 9 insertions(+) diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml index 4534444678..c74cb05fe3 100644 --- a/k8s/crds/kops.k8s.io_clusters.yaml +++ b/k8s/crds/kops.k8s.io_clusters.yaml @@ -2194,6 +2194,9 @@ spec: description: TyphaReplicas is the number of replicas of Typha to deploy format: int32 type: integer + wireguardEnabled: + description: 'WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic (default: false)' + type: boolean type: object canal: description: CanalNetworkingSpec declares that we want Canal networking diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go index 2de1c38cd7..17bab5a522 100644 --- a/pkg/apis/kops/networking.go +++ b/pkg/apis/kops/networking.go @@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct { TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"` // TyphaReplicas is the number of replicas of Typha to deploy TyphaReplicas int32 `json:"typhaReplicas,omitempty"` + // WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic + // (default: false) + WireguardEnabled bool `json:"wireguardEnabled,omitempty"` } // CanalNetworkingSpec declares that we want Canal networking diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go index e022957c64..daa9f7601b 100644 --- a/pkg/apis/kops/v1alpha2/networking.go +++ b/pkg/apis/kops/v1alpha2/networking.go @@ -152,6 +152,9 @@ type CalicoNetworkingSpec struct { TyphaPrometheusMetricsPort int32 `json:"typhaPrometheusMetricsPort,omitempty"` // TyphaReplicas is the number of replicas of Typha to deploy TyphaReplicas int32 `json:"typhaReplicas,omitempty"` + // WireguardEnabled enables WireGuard encryption for all on-the-wire pod-to-pod traffic + // (default: false) + WireguardEnabled bool `json:"wireguardEnabled,omitempty"` } // CanalNetworkingSpec declares that we want Canal networking From 76030f45260673da54f0404fa16a0798cb9aeb14 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Fri, 9 Oct 2020 00:49:22 +0900 Subject: [PATCH 2/5] Update generated conversion for wireguardEnabled --- pkg/apis/kops/v1alpha2/zz_generated.conversion.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go index b23aed4bfe..5e04a7a167 100644 --- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go +++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go @@ -1343,6 +1343,7 @@ func autoConvert_v1alpha2_CalicoNetworkingSpec_To_kops_CalicoNetworkingSpec(in * out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort out.TyphaReplicas = in.TyphaReplicas + out.WireguardEnabled = in.WireguardEnabled return nil } @@ -1370,6 +1371,7 @@ func autoConvert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in * out.TyphaPrometheusMetricsEnabled = in.TyphaPrometheusMetricsEnabled out.TyphaPrometheusMetricsPort = in.TyphaPrometheusMetricsPort out.TyphaReplicas = in.TyphaReplicas + out.WireguardEnabled = in.WireguardEnabled return nil } From 4e4c4a1e164a0981902530e1d116f811a4d6c2c5 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Sun, 11 Oct 2020 15:44:24 +0900 Subject: [PATCH 3/5] Install wireguard OS package in nodeup --- nodeup/pkg/model/networking/calico.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/nodeup/pkg/model/networking/calico.go b/nodeup/pkg/model/networking/calico.go index 230aa6f280..aea39f9cc0 100644 --- a/nodeup/pkg/model/networking/calico.go +++ b/nodeup/pkg/model/networking/calico.go @@ -21,6 +21,7 @@ import ( "k8s.io/kops/nodeup/pkg/model" "k8s.io/kops/upup/pkg/fi" + "k8s.io/kops/upup/pkg/fi/nodeup/nodetasks" ) // CalicoBuilder configures the etcd TLS support for Calico @@ -38,6 +39,10 @@ func (b *CalicoBuilder) Build(c *fi.ModelBuilderContext) error { return nil } + if b.Distribution.IsUbuntu() { + c.AddTask(&nodetasks.Package{Name: "wireguard"}) + } + // @check if tls is enabled and if so, we need to download the client certificates if b.IsKubernetesLT("1.12") && !b.UseEtcdManager() && b.UseEtcdTLS() { name := "calico-client" From 7ad4815fc9acc89248cef34641fdb766731bf933 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Sun, 11 Oct 2020 15:42:17 +0900 Subject: [PATCH 4/5] Enable wireguard in calico-node if it is enabled --- upup/models/bindata.go | 3 +++ .../addons/networking.projectcalico.org/k8s-1.16.yaml.template | 3 +++ upup/pkg/fi/cloudup/bootstrapchannelbuilder.go | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index d19a08d6c1..b40a998f23 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -13100,6 +13100,9 @@ spec: # Enable / Disable source/destination checks in AWS - name: FELIX_AWSSRCDSTCHECK value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}" + # Enable WireGuard encryption for all on-the-wire pod-to-pod traffic + - name: FELIX_WIREGUARDENABLED + value: "{{ .Networking.Calico.WireguardEnabled }}" securityContext: privileged: true resources: diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index b7b9cc4c31..0eb2b4e7f5 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -3937,6 +3937,9 @@ spec: # Enable / Disable source/destination checks in AWS - name: FELIX_AWSSRCDSTCHECK value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AwsSrcDstCheck "DoNothing" -}} {{- end -}}" + # Enable WireGuard encryption for all on-the-wire pod-to-pod traffic + - name: FELIX_WIREGUARDENABLED + value: "{{ .Networking.Calico.WireguardEnabled }}" securityContext: privileged: true resources: diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 0eda37507e..d93772baa1 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -858,7 +858,7 @@ func (b *BootstrapChannelBuilder) buildAddons(c *fi.ModelBuilderContext) (*chann "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", "k8s-1.12": "3.9.6-kops.1", - "k8s-1.16": "3.16.3-kops.1", + "k8s-1.16": "3.16.3-kops.2", } { From b8524205f70d0ecf57bb967e982eb9a09fec2d81 Mon Sep 17 00:00:00 2001 From: AkiraFukushima Date: Sun, 11 Oct 2020 19:10:55 +0900 Subject: [PATCH 5/5] Add wireguard description in calico docs --- docs/networking/calico.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/networking/calico.md b/docs/networking/calico.md index ebfd3316e8..0eb3d7af6b 100644 --- a/docs/networking/calico.md +++ b/docs/networking/calico.md @@ -56,7 +56,7 @@ To enable this mode in a cluster, add the following to the cluster spec: crossSubnet: true ``` In the case of AWS, EC2 instances have source/destination checks enabled by default. -When you enable cross-subnet mode in kops 1.19+, it is equivalent to: +When you enable cross-subnet mode in kops 1.19+, it is equivalent to: ```yaml networking: calico: @@ -93,6 +93,19 @@ It is possible to configure Calico to use Typha by editing a cluster and adding typhaReplicas: 3 ``` +### Configuring WireGuard +{{ kops_feature_table(kops_added_default='1.19', k8s_min='1.16') }} + +Calico supports WireGuard to encrypt pod-to-pod traffic. If you enable this options, WireGuard encryption is automatically enabled for all nodes. At the moment, kops installs WireGuard automatically only when the host OS is *Ubuntu*. For other OSes, WireGuard has to be part of the base image or installed via a hook. + +For more details of Calico WireGuard please refer the [Calico Docs](https://docs.projectcalico.org/security/encrypt-cluster-pod-traffic). + +```yaml + networking: + calico: + wireguardEnabled: true +``` + ## Getting help For help with Calico or to report any issues: