Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypting pod network traffic between worker node and pod VM #688

Open
bpradipt opened this issue Mar 8, 2023 · 17 comments
Open

Encrypting pod network traffic between worker node and pod VM #688

bpradipt opened this issue Mar 8, 2023 · 17 comments
Assignees
@kartikjoshi21

Comments

@bpradipt
Copy link
Member

bpradipt commented Mar 8, 2023

The default networking solution extends pod network by creating a VXLAN tunnel between worker node and pod VM.
Does this need to be encrypted? If yes what are the available mechanisms ?
@bpradipt
Copy link
Member Author

Few additional questions:

  1. When pod-to-pod traffic is secured via mTLS using service mesh, does it makes sense to encrypt the tunnel traffic ?
  2. If the workload is TLS enabled then does it makes sense to encrypt the tunnel traffic ?

As for the options to encrypt the tunnel traffic, I could find ipsec and macsec

The fundamental question is do we really need to encrypt the tunnel traffic ?

@yoheiueda
Copy link
Member

I think it depends on how Kubernetes pod network is configured.

In a typical case, inter-node communication of Kubernetes pod network is not encrypted. In this case, we don't need to encrypt the tunnel traffic.

If inter-node communication of Kubernetes pod network is encrypted, the tunnel traffic should be encrypted. For example, Calico supports encryption of in-cluster pod traffic. https://docs.tigera.io/calico/3.25/network-policy/encrypt-cluster-pod-traffic

@yoheiueda
Copy link
Member

WireGuard is gaining popularity for secure tunnels.

It looks like we can implement WireGuard tunnels for CAA in a relatively straightforward way.

https://www.wireguard.com/quickstart/
https://www.wireguard.com/netns/

@bpradipt
Copy link
Member Author

I think it depends on how Kubernetes pod network is configured.

In a typical case, inter-node communication of Kubernetes pod network is not encrypted. In this case, we don't need to encrypt the tunnel traffic.

If inter-node communication of Kubernetes pod network is encrypted, the tunnel traffic should be encrypted. For example, Calico supports encryption of in-cluster pod traffic. https://docs.tigera.io/calico/3.25/network-policy/encrypt-cluster-pod-traffic

@yoheiueda this makes sense. We can provide it as an optional capability for cases where pod-to-pod traffic is not encrypted by default. For cases where pod-to-pod traffic is encrypted we can use wireguard.

I'm assuming mTLS using service mesh should work as-is. Although I have personally not tested service-mesh on a peer-pods environment.

@huoqifeng
Copy link

I ever tried istio service mesh for PeerPod, yes, it works as-is because mTLS configuration all happen within service mesh proxy.

@bpradipt
Copy link
Member Author

I ever tried istio service mesh for PeerPod, yes, it works as-is because mTLS configuration all happen within service mesh proxy.

Thanks for confirming @huoqifeng

@kartikjoshi21 kartikjoshi21 self-assigned this Apr 26, 2023
@kartikjoshi21
Copy link
Contributor

cc @mkulke

@mkulke
Copy link
Contributor

mkulke commented May 2, 2023

Are we confident a tunnel over tunnel (wg over vxlan) configuration will cause no issues in some setups?

@yoheiueda
Copy link
Member

@mkulke

WireGuard is a protocol that encapsulates IP packet as described here.

https://www.wireguard.com/#conceptual-overview

WireGuard securely encapsulates IP packets over UDP. You add a WireGuard interface, configure it with your private key and your peers' public keys, and then you send packets across it. All issues of key distribution and pushed configurations are out of scope of WireGuard; these are issues much better left for other layers, lest we end up with the bloat of IKE or OpenVPN

So, I don't think we need to encapsulate VXLAN over WireGuard for our pod network tunneling. We can just use WireGuard as a point-to-point network tunnel.

@kartikjoshi21 have you started implementing this enhancement?

BTW, I am working on refactoring our pod network code by simplifying the interface of the bitops package.

@kartikjoshi21
Copy link
Contributor

kartikjoshi21 commented May 2, 2023
edited
Loading

@yoheiueda I started trying out wireguard, But got stuck due to some issues in connectivity from worker node -> pod vm. Yet to look into what was missing in the setup.

@yoheiueda yoheiueda mentioned this issue May 12, 2023
Closed
@yoheiueda
Copy link
Member

@kartikjoshi21 Thank you for the status info. I think I can help you if you can share the code or experimental setup information.

As I said before, I am refactoring the network code. (#947 and #954) This is probably conflicting with your code, and I can also help you to rebase your code if my PRs get merged before yours.

@bpradipt bpradipt mentioned this issue Sep 26, 2023
Merged
@katexochen katexochen mentioned this issue Sep 28, 2023
Closed
@yoheiueda
Copy link
Member

I recently investigated the feasibility of WireGuard tunnel. I did some experiments using the ip command to set up WireGuard-based tunneling for peer pods, and it worked fine.

I also noticed that WireGuard has additional benefits for networks with NAT. If a worker node is a WireGuard client, and a peer pod VM is a WireGuard server, the worker node can be behind a network with NAT.
https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence

This will work fine with the public IP support by this PR. #2056

The current VXLAN tunnel does not support NAT traversal, since Linux connection tracking cannot correcty handle VXLAN packet streams. #2015

@yoheiueda
Copy link
Member

My current design of WireGuard support

WireGuard

@katexochen
Copy link
Contributor

Why do we want to encrypt that traffic again? In the coco attacker model, the worker node is untrusted. So we are building a very secure channel to a party we don't trust anyway, protecting against what?

@yoheiueda
Copy link
Member

@katexochen Yes. Worker nodes are not trusted, so we should not rely only on network encryption between a worker node and a peer pod VM. Applications runs on a pod need to use other protection mechanisms such as TLS for protecting data-plane traffic against worker nodes.

This optional feature is for an additional protection as defense in depth. The data-plane tunnel encryption can protect attacks from outside a Kubernetes cluster. In some use cases such as #2056 , tunnel traffic will go through the Internet. This additional protection may mitigate risks of data leakage when basic data protection is not properly configured.

Another benetit of WireGuard is the support of NAT traversal as mentioned in #688 (comment). VXLAN does not work well with NAT, and WireGuard will also be an option to support such network topologies.

@bpradipt @davidhadas Any comments?

@bpradipt
Copy link
Member Author

@katexochen this is a vxlan tunnel alternative. One of the use cases that we have for cloud-api-adaptor is bursting to cloud from a development environment (eg kind cluster on a dev laptop) to run large VM or GPU VM to experiment with AI models.
Another use case that we have is enterprise focused where it is used for bursting from on-prem to cloud. Although in this case there is site-to-site vpn but we have found issues with VXLAN tunneling.

@katexochen
Copy link
Contributor

So we expected better tunnel stability from switching to wg and won't nest it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kartikjoshi21 kartikjoshi21

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mkulke @bpradipt @yoheiueda @kartikjoshi21 @huoqifeng @katexochen