-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Cilium node-to-node strict encryption #2462
Conversation
✅ Deploy Preview for constellation-docs canceled.
|
8fb4d36
to
e80aa81
Compare
5462998
to
8618331
Compare
8618331
to
2aae003
Compare
2aae003
to
77fe878
Compare
7b27ee4
to
2565c8c
Compare
2db3cdb
to
0d4d3c3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't really comment on most of the helm chart changes
Rest looks good to me
2e620a1
to
9d1de1e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
helm changes lgtm.
Reverting back to draft to figure out migration off of konnectivity. See broken upgrade test. |
707e16c
to
1da5bc4
Compare
Bumping Cilium to also enable node-to-node encryption and node-to-node strict mode. Since the second is not upstream we use our fork.
When enabling node-to-node encryption, Cilium does not encrypt control-plane to control-plane traffic by default since they say that they cannot gurantee that the generated private key for a node is persisted across reboots. In Constellation we use stateful VMs which when rebooted still have the cilium_wg0 interface containing the private key. Therefore, we can enable this type of encryption.
For the strict modes we need to dynamically use the CIDR used in the Terraform files. Therefore, we write them to our statefile and use them when installing Cilium.
The token given out by control-planes contains the node IP as an endpoint. Since during this stage the joining node is not connected to the WireGuard network, we cannot communicate node-to-node. Therefore, we need to hop over the load balancer again to have a src IP outside of the strict range.
Use the local variable instead of inlining the node CIDR value.
The Cilium strict mode has a special mode which loosens the security a slight bit. For compatability this mode is enabled by default. But we don't need it for strict node-to-node encryption. Therefore, we disable it.
Tests concluded that restating the Cilium agent after the first boot is not needed anymore to regain connectivity for pods.
This is the first step in our migration off of konnectivity. Before node-to-node encryption we used konnectivity to route some KubeAPI to kubelet traffic over the pod network which then would be encrypted. Since we enabled node-to-node encryption this has no security upsides anymore. Note that we still deploy the konnectivity agents via helm and still have the load balancer for konnectivity. In the following releases we will remove both.
576e22f
to
d5a9f9f
Compare
Coverage report
|
Context
Proposed change(s)
FixCilium()
. There is no need to restart the agent anymore.Additional info
Minicon: https://github.com/edgelesssys/constellation/actions/runs/6864239262 (This fails due to the main nightly image still setting up konnectivity, when using the image from this branch the test works:
ref/feat-cilium-strict-node-to-node/stream/nightly/v2.13.0-pre.0.20231114141207-0d4d3c3d8386
)e2e, azure, lb: https://github.com/edgelesssys/constellation/actions/runs/6864247842
e2e, gcp, verify: https://github.com/edgelesssys/constellation/actions/runs/6864253985
e2e, aws, autoscaling: https://github.com/edgelesssys/constellation/actions/runs/6864259968
e2e, upgrade, gcp 3:2, from v2.12.0: https://github.com/edgelesssys/constellation/actions/runs/6877667384
Again:
e2e, azure, lb: https://github.com/edgelesssys/constellation/actions/runs/6878967924
e2e, gcp, verify: https://github.com/edgelesssys/constellation/actions/runs/6878976138
e2e, aws, autoscaling: https://github.com/edgelesssys/constellation/actions/runs/6878980995
e2e, upgrade, gcp 3:2, from v2.12.0: https://github.com/edgelesssys/constellation/actions/runs/6878954935
Checklist