From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tom@tigera.io MIME-Version: 1.0 In-Reply-To: References:

From: Tom Denham Date: Wed, 25 Apr 2018 16:32:33 -0700 Message-ID: Subject: Re: Using WireGuard with Kubernetes To: Martin Eskdale Moen Content-Type: multipart/alternative; boundary="000000000000a83845056ab4b012" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --000000000000a83845056ab4b012 Content-Type: text/plain; charset="UTF-8" For Kubernetes, using the bridge CNI plugin ( https://github.com/containernetworking/plugins/tree/master/plugins/main/bridge) or even the ptp plugin ( https://github.com/containernetworking/plugins/tree/master/plugins/main/ptp) should work fine. I wonder though if there's a way to alias the wg0 device itself and push that into the container with something like the host-device plugin ( https://github.com/containernetworking/plugins/tree/master/plugins/main/host-device). This would avoid the overhead of a veth (and a bridge). *Tom* *Denham* Senior Software Engineer Tigera tom@tigera.io | @_tomdee | https://github.com/tomdee Follow us: Blog | Twitter | LinkedIn Secure Application Connectivity for the Cloud Native World On Wed, Apr 25, 2018 at 1:15 PM, Martin Eskdale Moen wrote: > I've been doing some experiments with this. Not so much with kubes yet, > that was next on the list. > I think at the moment linking together the various network namespaces > using a linux bridge should work. > Not sure if I'm shooting myself in the foot at all using linux bridges. > Reading over the docs of openvswitch vs linux bridge it seems the bridge is > easier to understand and overall more useful. > > On Wed, Apr 25, 2018 at 6:54 PM, Tom Denham wrote: > >> I was wondering if anyone had any experience using WireGuard with >> Kubernetes? I see that the WireGuard website says "Ready for Containers" >> but the model it describes sounds like it would work for adding WireGuard >> to a single container (putting the wg interface in the container itself). >> If I have many containers on a host, and many containers on a host, and I >> want them all to be able to communicate with each other using WireGuard, >> then I would need to create many different WireGuard interfaces and >> presumably they would all need their own independent config. It doesn't >> feel like this would scale to 100's of hosts and tens of thousands of >> containers. >> >> I'm interested in hearing people's thoughts and ideas on this >> Thanks >> Tom >> >> _______________________________________________ >> WireGuard mailing list >> WireGuard@lists.zx2c4.com >> https://lists.zx2c4.com/mailman/listinfo/wireguard >> >> > --000000000000a83845056ab4b012 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

For Kubernetes, using the bridge CNI plugin (https://github.com/containernetworking/plugins/tree/master/plugins/main/= bridge) or even the ptp plugin (https://github.com/contain= ernetworking/plugins/tree/master/plugins/main/ptp) should work fine. I = wonder though if there's a way to alias the wg0 device itself and push = that into the container with something like the host-device plugin (https://github.com/containernetworking/plugins/tree/master/pl= ugins/main/host-device). This would avoid the overhead of a veth (and a= bridge).

Tom<= /strong>=C2=A0Denham=C2=A0
Senior Software Engineer=C2= =A0
Tigera=C2=A0
t= om@tigera.io | @_tomdee | ht= tps://github.com/tomdee=C2=A0
Follow us:=C2=A0Blog=C2=A0|=C2=A0<= a href=3D"https://twitter.com/tigeraio" style=3D"color:blue" target=3D"_bla= nk">Twitter=C2=A0|=C2=A0LinkedIn=C2=A0

Secure Application Connectivity for the Cloud Native Worl= d

On Wed, Apr 25, 2018 at 1:15 PM, Martin Eskd= ale Moen <martinmoen@gmail.com> wrote:
I've been doing some experim= ents with this. Not so much with kubes yet, that was next on the list.
<= /div>I think at the moment linking together the various network namespaces = using a linux bridge should work.
Not sure if I'm shootin= g myself in the foot at all using linux bridges. Reading over the docs of o= penvswitch vs linux bridge it seems the bridge is easier to understand and = overall more useful.

On Wed, Apr 25, 2018 at 6:54 PM, Tom De= nham <tom@tigera.io> wrote:
I was wondering if anyone= had any experience using WireGuard with Kubernetes? I see that the WireGua= rd website says "Ready for Containers" but the model it describes= sounds like it would work for adding WireGuard to a single container (putt= ing the wg interface in the container itself). If I have many containers on= a host, and many containers on a host, and I want them all to be able to c= ommunicate with each other using WireGuard, then I would need to create man= y different WireGuard interfaces and presumably they would all need their o= wn independent config. It doesn't feel like this would scale to 100'= ;s of hosts and tens of thousands of containers.

I'm= interested in hearing people's thoughts and ideas on this
Th= anks
Tom

_______________________________________________
WireGuard mailing list
WireGuard@li= sts.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wire= guard

--000000000000a83845056ab4b012--