Warning: You're not viewing the latest copy of this page.

Encrypt in-cluster pod traffic

2 MINUTE READ

Big picture

Enable WireGuard to secure on the wire in-cluster pod traffic in a Calico cluster.

Value

Calico automatically creates and manages WireGuard tunnels between nodes providing transport-level security for on the wire in-cluster pod traffic. WireGuard provides formally verified secure and performant tunnels without any specialized hardware. For a deep dive in to WireGuard implementation, see whitepaper.

Features

This how-to guide uses the following Calico features:

Felix configuration resource with WireGuard configuration parameters

Before you begin…

Install and configure calicoctl
Verify the operating system(s) running on the nodes in the cluster support WireGuard.

Note: WireGuard in Calico does not support IPv6 at this time. Also, encryption using WireGuard is not supported if CALICO_NETWORKING_BACKEND=none (e.g. managed Kubernetes platforms EKS, AKS and GKE).

How to enable WireGuard for the cluster

Install WireGuard on cluster nodes using instructions for your operating system. Note that you may need to reboot your nodes after installing WireGuard to make the kernel modules available on your system.

Note: Nodes that do not support WireGuard will not be secured by WireGuard tunnels, even if traffic running on the node to and from the pods goes to nodes that do support WireGuard.
Enable WireGuard encryption across all the nodes using the following command.
```
calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'
```
For OpenShift, add the Felix configuration with WireGuard enabled under custom resources.

Note: The above command can be used to change other WireGuard attributes. For a list of other WireGuard parameters and configuration evaluation, see the Felix configuration.
We recommend that you review and modify the MTU used by Calico networking when WireGuard is enabled to increase network performance. Follow the instructions in the Configure MTU to maximize network performance guide to set the MTU to a value appropriate for your network.

How to disable WireGuard for an individual node

To disable WireGuard on a specific node with WireGuard installed, modify the node-specific Felix configuration. For example:

calicoctl patch felixconfiguration node.<Node-Name> --type='merge' -p '{"spec":{"wireguardEnabled":false}}'

To disable encryption for pod traffic on node my-node, use the following command:

calicoctl patch felixconfiguration node.my-node --type='merge' -p '{"spec":{"wireguardEnabled":false}}'

With the above command, Calico will not encrypt any of the pod traffic to or from node my-node.

How to disable WireGuard for the cluster

To disable WireGuard on all nodes modify the default Felix configuration. For example:

calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":false}}'

Troubleshoot

To verify that the nodes are configured for WireGuard encryption, check the node status set by Felix using calicoctl. For example:

   $ calicoctl get node <NODE-NAME> -o yaml
   ...
   status:
     ...
     wireguardPublicKey: jlkVyQYooZYzI2wFfNhSZez5eWh44yfq1wKVjLvSXgY=
     ...

Above and beyond

Slack Discourse GitHub Twitter YouTube Training

Big picture
Value
Features
Before you begin…
How to enable WireGuard for the cluster
How to disable WireGuard for an individual node
How to disable WireGuard for the cluster
- Troubleshoot
Above and beyond

About

Install Calico

Networking

Security

Operations

Reference

Release notes

Calico Enterprise

Free training