Wireguard
Pre-requisistes
- This will require kube-vip starting as a daemonset as it will need to read existing data (
secrets) from inside the cluster. - A WireGuard server that will act as the ingress for the control plane and/or several services
- Distinct network ranges for WireGuard tunnel
Limitations
- no IPv6 support (untested)
- TCP and UDP support only
- control plane port is hardcoded 6443 (resulting URL is https://
:6443)
Architecture
The VPN node is the pre-existing WireGuard server, implementation and setup for that is out of scope for kube-vip. External traffic, for example from the internet, reaches the VPN node and gets forwarded to the peer currently connected. That peer (in our case Node A) forwards that traffic to the respective service or the control plane. If a node should lose its lease, another node will connect to the VPN Node and the VPN Node will forward traffic to that peer.
kube-vip also supports several tunnels at once, providing access from multiple sources.
┌────────────────────┐
│ │
│ External Traffic │
│ │
└────────┬───────────┘
│
│
┌──────▼───────┐
│ │
┌──────► VPN Node │
│ │ │
│ └──────────────┘
│
│
┌─────▼─────┐ ┌──────────┐ ┌──────────┐
│ │ │ │ │ │
│ Node A │ │ Node B │ │ Node C │
│ │ │ │ │ │
└───────────┘ └──────────┘ └──────────┘
Configuration
kube-vip usually runs within the host's network namespace. However, it is strongly recommended that this is disabled when using the WireGuard mode. The reason for this is, that the crash of a kube-vip pod may result in a WireGuard connection still being open. Other nodes then will not be able to connect to the VPN Node.
Disabling the host network access also implies, that kube-vip cannot change networking sysctls (which are required for forwarding and routing) on its own. Thus, these have to be set in the pod's security context. Note however that these sysctls also need to be allowed in the kubelet configuration. More information can be found in Kubernetes' documentation
1podSecurityContext:
2 sysctls:
3 - name: net.ipv4.conf.all.src_valid_mark
4 value: "1"
5 - name: net.ipv4.conf.all.route_localnet
6 value: "1"
7hostNetwork: false
Secrets
In order to configure the available tunnels and VIPs, a secret named wireguard must exist in the same namespace as kube-vip's namespace.
1apiVersion: v1
2kind: Secret
3metadata:
4 name: wireguard
5 namespace: <kube-vip namespace>
6stringData:
7 tunnels: |
8 wg0:
9 vip: <ip-address>/32
10 privateKey: <this peers private key>
11 peerPublicKey: <public key of VPN Node>
12 peerEndpoint: <endpoint of VPN Node>
13 listenPort: 51820
14 allowedIPs:
15 - 10.0.0.0/8
16 wg1:
17 vip: <ip-address>/32
18 privateKey: <this peers private key>
19 peerPublicKey: <public key of VPN Node>
20 peerEndpoint: <endpoint of VPN Node>
21 listenPort: 51821
22 allowedIPs:
23 - 100.0.0.0/8
Attention needs to be paid to the allowed IPs. First, the ranges from several tunnels cannot be overlapping. If that is a requirement, several deployments should be created. Also, the ranges should not include the pod CIDR or other potentially conflicting ranges. The allowed IPs however must include all IP ranges, where traffic is expected to come from. If you want to receive traffic from the internet, you need to calculate ranges which include everything reachable by the internet, but do not include your pod CIDR and other potential private networks. There are several calculators available online for that.