-
Notifications
You must be signed in to change notification settings - Fork 267
Encryption and private networking question #1976
Replies: 1 comment · 5 replies
-
Hey Giovanni, rke2 supports calico, cilium and canal ==> https://docs.rke2.io/install/network_options/#network-options. All of them have encryption features (e.g. using wireguard natively) |
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks, I will check it |
Beta Was this translation helpful? Give feedback.
All reactions
-
Hi I have another question about this. When I install an actual RKE2 with it's defaults, like canal, which has encryption features as you say, is this encryption enabled by default? Flannel uses vxlan as default backend as I have observed and read in the docs (https://docs.rke2.io/install/network_options/), which does not encrypt traffic by default as in https://rancher.com/docs/rancher/v2.6/en/faq/networking/cni-providers/#flannel. So I assume it is not encrypted by default, but please correct me if I'm wrong. However RKE2 docs say, that I can create a helmchartconfig object apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-canal
namespace: kube-system
spec:
valuesContent: |-
flannel:
backend: "wireguard" to enable wireguard backend instead of vxlan, which I have tried and it seems to have done something (it edited the file /etc/kube-flannel/net-conf.json in the kube-flannel container in rke2-canal pod) and though I don't know how exactly to test it I trust that it works as it should. Another interesting fact is if I check logs of the kube-flannel container, I can still see some vxlan keywords but no wireguard keywords:
like that |
Beta Was this translation helpful? Give feedback.
All reactions
-
Interesting, I think the issue with the logs is that after creating the helmchartconfig object (and after the job for the helm upgrade is executed) the daemonset is not restarted, I just restarted it manually and it looks like it now has different logs (with wireguard keywords in it):
|
Beta Was this translation helpful? Give feedback.
All reactions
-
Thanks for reporting this. Regarding wireguard backend, we need to update the docs. Regarding the restart, HelmChartConfig is based on Helm. Helm will only restart what gets changed with the new config. In this case, what changes is the config and thus it does not restart everything automatically. Therefore, the manual restart of the daemonset, as you experienced, is needed |
Beta Was this translation helpful? Give feedback.
All reactions
-
And yes, you are right, it could be supported in some latest patch versions of 1.22. We wrote 1.23 directly because we thought it would be less confusing, as all patch versions of v1.23 support it. BTW, here is a doc update based on your report: #2959. You are welcome to review it :) |
Beta Was this translation helpful? Give feedback.
All reactions
This discussion was converted from issue #1975 on October 19, 2021 15:37.
-
Hello, thanks for the great project.
I have one question about network encryption.
I planing to install the k8s cluster in a untrusted network, without a private network option. The Virtual Private Servers I choose to run unfortunate don't have this option.
Do RKE2 has a network encryption option to configure?
I can create a mesh encrypted network between the hosts using tailscale, zerotier or pure wireguard, and configure the servers and clientes to listen to the private interface address, then setup my machine to connect to this VPN. I think this is the option I will proceed but I would like some advice on this.
I know that RKE1 has support for wave network which brings encryption, but I would like to setup a new cluster using containerd because is more future prof (kubernetes droping support for docker).
Any feedback I appreciate.
Thanks.
Beta Was this translation helpful? Give feedback.
All reactions