Using WireGuard with Kubernetes

Using WireGuard with Kubernetes

[Tom Denham]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

I was wondering if anyone had any experience using WireGuard with
Kubernetes? I see that the WireGuard website says "Ready for Containers"
but the model it describes sounds like it would work for adding WireGuard
to a single container (putting the wg interface in the container itself).
If I have many containers on a host, and many containers on a host, and I
want them all to be able to communicate with each other using WireGuard,
then I would need to create many different WireGuard interfaces and
presumably they would all need their own independent config. It doesn't
feel like this would scale to 100's of hosts and tens of thousands of
containers.

I'm interested in hearing people's thoughts and ideas on this
Thanks
Tom

[-- Attachment #2: Type: text/html, Size: 822 bytes --]

Re: Using WireGuard with Kubernetes

[Martin Eskdale Moen]

[-- Attachment #1: Type: text/plain, Size: 1385 bytes --]

I've been doing some experiments with this. Not so much with kubes yet,
that was next on the list.
I think at the moment linking together the various network namespaces using
a linux bridge should work.
Not sure if I'm shooting myself in the foot at all using linux bridges.
Reading over the docs of openvswitch vs linux bridge it seems the bridge is
easier to understand and overall more useful.

On Wed, Apr 25, 2018 at 6:54 PM, Tom Denham <tom@tigera.io> wrote:

> I was wondering if anyone had any experience using WireGuard with
> Kubernetes? I see that the WireGuard website says "Ready for Containers"
> but the model it describes sounds like it would work for adding WireGuard
> to a single container (putting the wg interface in the container itself).
> If I have many containers on a host, and many containers on a host, and I
> want them all to be able to communicate with each other using WireGuard,
> then I would need to create many different WireGuard interfaces and
> presumably they would all need their own independent config. It doesn't
> feel like this would scale to 100's of hosts and tens of thousands of
> containers.
>
> I'm interested in hearing people's thoughts and ideas on this
> Thanks
> Tom
>
> _______________________________________________
> WireGuard mailing list
> WireGuard@lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/wireguard
>
>

[-- Attachment #2: Type: text/html, Size: 2053 bytes --]

Re: Using WireGuard with Kubernetes

[Tom Denham]

[-- Attachment #1: Type: text/plain, Size: 2440 bytes --]

For Kubernetes, using the bridge CNI plugin (
https://github.com/containernetworking/plugins/tree/master/plugins/main/bridge)
or even the ptp plugin (
https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp)
should work fine. I wonder though if there's a way to alias the wg0 device
itself and push that into the container with something like the host-device
plugin (
https://github.com/containernetworking/plugins/tree/master/plugins/main/host-device).
This would avoid the overhead of a veth (and a bridge).

<https://tigera.io/> *Tom* *Denham*
Senior Software Engineer
Tigera
tom@tigera.io | @_tomdee <https://twitter.com/_tomdee> |
https://github.com/tomdee  <https://github.com/tomdee>
Follow us: Blog <https://blog.tigera.io/> | Twitter
<https://twitter.com/tigeraio> | LinkedIn
<https://www.linkedin.com/company/tigera/>

Secure Application Connectivity for the Cloud Native World
<https://tigera.io/>

On Wed, Apr 25, 2018 at 1:15 PM, Martin Eskdale Moen <martinmoen@gmail.com>
wrote:

> I've been doing some experiments with this. Not so much with kubes yet,
> that was next on the list.
> I think at the moment linking together the various network namespaces
> using a linux bridge should work.
> Not sure if I'm shooting myself in the foot at all using linux bridges.
> Reading over the docs of openvswitch vs linux bridge it seems the bridge is
> easier to understand and overall more useful.
>
> On Wed, Apr 25, 2018 at 6:54 PM, Tom Denham <tom@tigera.io> wrote:
>
>> I was wondering if anyone had any experience using WireGuard with
>> Kubernetes? I see that the WireGuard website says "Ready for Containers"
>> but the model it describes sounds like it would work for adding WireGuard
>> to a single container (putting the wg interface in the container itself).
>> If I have many containers on a host, and many containers on a host, and I
>> want them all to be able to communicate with each other using WireGuard,
>> then I would need to create many different WireGuard interfaces and
>> presumably they would all need their own independent config. It doesn't
>> feel like this would scale to 100's of hosts and tens of thousands of
>> containers.
>>
>> I'm interested in hearing people's thoughts and ideas on this
>> Thanks
>> Tom
>>
>> _______________________________________________
>> WireGuard mailing list
>> WireGuard@lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/wireguard
>>
>>
>

[-- Attachment #2: Type: text/html, Size: 4585 bytes --]