* Wireguard as a Kubernetes Service
@ 2021-08-09 12:34 Nico Schottelius
0 siblings, 0 replies; only message in thread
From: Nico Schottelius @ 2021-08-09 12:34 UTC (permalink / raw)
To: WireGuard mailing list
Hello dear WG mailing list,
I am interested in running wireguard servers (as in endpoints) inside a
kubernetes cluster. I have two different approaches and was wondering
what makes more sense:
1) Wireguard in kernel on every participating node
Assuming that the kernel module is loaded on the host and that a k8s pod
just sets the VPN configuration, every node that hosts the wireguard
service would need to be configured.
Given that a pod is privileged, this might work with a single instance
service that is only terminated on one node. I assume the usual roaming
problems apply so that only 1 node could host that service.
One problem I see here is that the host will have fragments left, even
if the pod is moved to another node. This might be able to catch using
finalizers.
The biggest "problem" I see is that the actual node becomes the VPN
endpoint and not really the pod.
2) User space client
Is there still any Linux user space client that could be used instead?
Performance is not the most critical point of running wireguard as a
service inside k8s, but more the ease of maintenance.
I see these two options, does anyone have a better idea on how to move
the vpn endpoints into a k8s cluster?
Best regards,
Nico
--
Sustainable and modern Infrastructures by ungleich.ch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-09 12:34 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-09 12:34 Wireguard as a Kubernetes Service Nico Schottelius
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).