Alauda Container Platform

Calico Network Supports WireGuard Encryption

Calico supports WireGuard encryption for both IPv4 and IPv6 traffic, which can be independently enabled via parameters in the FelixConfiguration resource.

TOC

Installation Status

Default Installation

Operating SystemKernel Version
Linux5.6 and above are installed by default
Ubuntu 20.045.4.0-135-generic
Kylin Linux Advanced Server V10 - SP34.19.90-52.22.v2207.ky10.x86_64

Not Installed by Default

Operating SystemKernel Version
openEuler4.18.0-147.5.2.13.h996.eulerosv2r10.x86_64
CentOS 73.10.0-1160.el7.x86_64
Redhat 8.74.18.0-425.3.1.el8.x86_64
Kylin Linux Advanced Server V10 - SP24.19.90-24.4.v2101.ky10.x86_64
Kylin Linux Advanced Server V10 - SP14.19.90-23.8.v2101.ky10.x86_64
Kylin Linux Advanced Server V104.19.90-11.ky10.x86_64

Terminology

TermExplanation
wireguardEnabledEnable encryption for IPv4 traffic over the IPv4 Underlay network.
wireguardEnabledV6Enable encryption for IPv6 traffic over the IPv6 Underlay network.

Notes

  1. When using the Calico network plugin, ensure that the natOutgoing parameter is set to true to support WireGuard encryption. By default, this parameter is correctly configured for the Calico subnet when creating the cluster, requiring no additional configuration.

  2. WireGuard supports encryption for both IPv4 and IPv6 traffic; if you need to encrypt both types of traffic, configuration must be done separately. For detailed parameter configuration, refer to the Felix Configuration Documentation, configuring both wireguardEnabled and wireguardEnabledV6 parameters.

  3. If WireGuard is not installed by default, refer to the WireGuard Installation Guide for manual installation, although there may be cases where manual installation of the WireGuard module fails.

  4. Traffic between containers across nodes will be encrypted, including network traffic from one host to another; however, communication between Pods on the same node and traffic between a Pod and its host node will not be encrypted.

Prerequisites

  • WireGuard must be installed on all nodes in the cluster beforehand. For details, refer to the WireGuard Installation Documentation. Nodes without WireGuard installed do not support encryption.

Procedure

  1. Enable or disable IPv4 and IPv6 encryption.

    Note: The following commands must be executed in the CLI tool on the Master node where the node resides.

    • Enable IPv4 encryption only

      kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'

    • Enable IPv6 encryption only

      kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabledV6":true}}'

    • Enable both IPv4 and IPv6 encryption

      kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true,"wireguardEnabledV6":true}}'

    • Disable both IPv4 and IPv6 encryption

      • Method 1: Execute the command in the CLI tool to disable encryption.

        kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":false,"wireguardEnabledV6":false}}'

      • Method 2: Modify the felixconfiguration configuration file to disable encryption.

        1. Execute the following command to open the felixconfiguration configuration file.

          kubectl get felixconfiguration -o yaml default

        2. Set wireguardEnabled and wireguardEnabledV6 parameters to false to disable WireGuard encryption.

          apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
  annotations:
    projectcalico.org/metadata: '{"uid":"f5facabd-8304-46d6-81c1-f1816235b487","creationTimestamp":"2024-08-06T03:46:51Z"}'
  generation: 2
  name: default
  resourceVersion: "890216"
spec:
  bpfLogLevel: ""
  floatingIPs: Disabled
  logSeverityScreen: Info
  reportingInterval: 0s
  wireguardEnabled: false # Change to true to enable IPv4 encryption
  wireguardEnabledV6: false # Change to true to enable IPv6 encryption

  2. After completing the Calico WireGuard encryption configuration, execute the following command to confirm the WireGuard encryption status. If both IPv4 and IPv6 encryption are enabled, the presence of wireguardPublicKey or wireguardPublicKeyV6 under the Status field indicates successful activation; if both IPv4 and IPv6 encryption are disabled, these fields will not contain wireguardPublicKey or wireguardPublicKeyV6, indicating successful deactivation.

    calicoctl get node <NODE-NAME> -o yaml # Replace <NODE-NAME> with the name of the node.

    Output:

    Status:
    wireguardPublicKey: L/MUP9+Yxx/xxxxxxxxxxxx/xxxxxxxxxx =

Result Verification

This document uses IPv4 traffic verification as an example; IPv6 traffic verification is similar to IPv4 and will not be repeated here.

IPv4 Traffic Verification

  1. After configuring WireGuard encryption, check the routing information, where traffic between nodes preferentially uses the wireguard.cali interface for message forwarding.

    root@test:~# ip rule   # View current routing rules
     0: from all lookup local
     99:  not from all fwmark 0x100000/0x100000 lookup 1    # For all packets not marked as 0x100000, use routing table 1 for routing lookup
     32766:  from all lookup main
     32767 :  from all lookup default

root@test:~# ip route show table 1    # Display routing entries for table 1.
    10.3.138.0 dev wireguard.cali scope link
    10.3.138.0/26 dev wireguard.cali scope link
    throw 10.3.231.192
    10.3.236.128 dev wireguard.cali scope link     # Traffic to reach IP address 10.3.236.128 will be sent through the wireguard.cali interface
    10.3.236.128/26 dev wireguard.cali scope link
    throw 10.10.10.124/30
    10.10.10.200/30 dev wireguard.cali scope link
    throw 10.10.20.124/30
    10.10.20.200/30 dev wireguard.cali scope link
    throw
    10.13.138.0 dev wireguard.cali scope link
    10.13.138.0/26 dev wireguard.cali scope link
    throw 10.13.231.192/26
    10.13.236.128 dev wireguard.cali scope link
    10.13.236.128/26 dev wireguard.cali scope link

root@test:~# ip r get 10.10.10.202    # Routing path from the current node to the target IP address 10.10.10.202
    10.10.10.202 dev wireguard.cali table 1 src 10.10.10.127 uid 0  cache   # When accessing the target IP address 10.10.10.202 from the current node, the packet will be sent through the wireguard.cali interface, using routing table 1, and the source address will be set to 10.10.10.127

root@test:~# ip route    # Show the main routing table
    default via 192.168.128.1 dev eth0 proto static
    10.3.138.0/26 via 10.3.138.0 dev vxlan.
    blackhole 10.3.231.193
    10.3.231.194
    10.3.231.195
    10.3.231.196
    10.3.231.197
    3.231.192/26 proto 80
    dev cali8dcd31cIdOO scope link
    dev cali3012b5b29b scope link
    dev calibeefea2ff87 scope link
    dev cali2b27d5e4053 scope link
    dev cali1a35dbdd639 scope link
    calico on link

  2. Capture packets on the node to observe cross-node traffic.

    root@test:~# ip a s wireguard.cali    # View detailed information about the wireguard.cali network interface
    30: wireguard.cali: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.10.10.127/32 scope global wireguard.cali   # The IP address assigned to wireguard.cali interface is 10.10.10.127
    valid_lft forever preferred_lft forever

root@test:~# tcpdump -i wireguard.cali -nnve icmp   # Capture and display ICMP packets through wireguard.cali
    tcpdump: listening on wireguard.cali, link-type RAW (Raw IP), capture size 262144 bytes
    08:58:36.987559 ip: (tos 0x0, ttl 63, id 29731, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.10.125 > 10.10.10.202: ICMP echo request, id 1110, seq 0, length 64
    08:58:36.988683 ip: (tos 0x0, ttl 63, id 1800, offset 0, flags [none], proto ICMP (1), length 84)
    10.10.10.202 > 10.10.10.125: ICMP echo reply, id 1110, seq 0, length 64
    2 packets captured
    2 packets received by filter
    0 packets dropped by kernel

  3. Testing shows that IPv4 type traffic is forwarded via the wireguard.cali interface.