Just-in

Kagent Tutorial: Build Cloud-Native AI Agents on Kubernetes

Running Ollama LLM on Kubernetes: A Complete Guide

From Docker to Kubernetes: The Orchestration Journey You Didn’t Know You Needed

What is Kubeflow and how can it be used?

Getting Started with Kubeflow: A Complete Beginner’s Guide

Orchestration

Cilium WireGuard: Encrypt Pod Traffic

Introduction

In today’s highly distributed and security-conscious world, encrypting data in transit is no longer an optional extra but a fundamental requirement. While Transport Layer Security (TLS) handles encryption at the application layer, what about the underlying network traffic, especially within a Kubernetes cluster? Traditional approaches often involve complex mesh configurations or IPsec, which can be cumbersome to manage and introduce significant overhead. This is where Cilium, an eBPF-based networking, observability, and security solution, combined with WireGuard, a modern, high-performance VPN protocol, offers a revolutionary approach.

Cilium’s integration with WireGuard brings transparent, high-performance, and secure pod-to-pod encryption directly into your Kubernetes network. This means that all traffic flowing between your pods, even across different nodes, can be automatically encrypted at the network layer without requiring any application changes or complex sidecar injection. This not only significantly enhances your cluster’s security posture by protecting against eavesdropping and man-in-the-middle attacks but also simplifies compliance with various industry regulations. Imagine the peace of mind knowing your microservices are communicating over a secure, encrypted tunnel by default, all managed seamlessly by your CNI.

This guide will walk you through the process of enabling and verifying WireGuard-based pod-to-pod encryption with Cilium in your Kubernetes cluster. We’ll cover everything from initial setup to verifying encryption, discussing production considerations, and troubleshooting common issues. By the end, you’ll have a robust, encrypted network fabric underpinning your Kubernetes workloads, leveraging the power of eBPF and WireGuard for unparalleled security and performance. For a deeper dive into Cilium’s capabilities, especially around network security, you might want to explore our Kubernetes Network Policies: Complete Security Hardening Guide.

TL;DR: Cilium WireGuard Encryption

Enable transparent pod-to-pod encryption in Kubernetes using Cilium with WireGuard. This enhances security without application changes.

  • Install Cilium with WireGuard: Use Helm to install Cilium, ensuring encryption.enabled=true and encryption.type=wireguard.
  • Verify Encryption Status: Check Cilium agent logs and pod communication for wireguard interfaces.
  • Test Encryption: Use tcpdump or tshark to confirm encrypted traffic between pods.
# Install Cilium with WireGuard encryption
helm repo add cilium https://helm.cilium.io/
helm install cilium cilium/cilium --version 1.15.5 \
  --namespace kube-system \
  --set encryption.enabled=true \
  --set encryption.type=wireguard \
  --set ipam.mode=kubernetes \
  --set tunnel=vxlan # or geneve, direct

# Verify WireGuard interfaces on a node
kubectl -n kube-system exec cilium-xxxx -- ip link show wg0

# Verify encrypted traffic (example using tcpdump)
# From pod-a to pod-b, tcpdump on node hosting pod-b, filtering for non-WireGuard traffic
# Should see only WireGuard encapsulated traffic.

Prerequisites

Before diving into the setup, ensure you have the following:

  • Kubernetes Cluster: A running Kubernetes cluster (v1.20+ recommended). This guide assumes a fresh cluster or one where Cilium is not yet installed. If Cilium is already installed, you’ll need to upgrade it with the encryption flags.
  • kubectl: Configured to communicate with your cluster. Refer to the official Kubernetes documentation for installation.
  • helm: Version 3.x installed. See the Helm installation guide.
  • Operating System: Linux kernel 5.6+ is recommended for optimal WireGuard performance, as it includes the native WireGuard module. Older kernels might require the wireguard-dkms package. Ensure your nodes meet this requirement.
  • Network Connectivity: Nodes must have IP connectivity to each other over the underlying network.
  • Basic Understanding of Cilium: Familiarity with Cilium as a CNI and its core concepts will be helpful.

Step-by-Step Guide

1. Add Cilium Helm Repository

First, we need to add the official Cilium Helm repository to our local Helm configuration. This allows us to easily install and manage Cilium within our cluster.

helm repo add cilium https://helm.cilium.io/
helm repo update

Verify:

Confirm that the Cilium repository has been added and updated successfully.

helm repo list

Expected Output:

NAME    URL
cilium  https://helm.cilium.io/

2. Install Cilium with WireGuard Encryption

Now, we’ll install Cilium, explicitly enabling WireGuard encryption. The key flags here are encryption.enabled=true and encryption.type=wireguard. We also specify ipam.mode=kubernetes for Kubernetes-native IPAM and tunnel=vxlan (or geneve) for overlay networking, which is common in many cloud environments. You might consider tunnel=direct for bare-metal or on-premise setups where direct routing is preferred, but ensure your network supports it. For more advanced networking configurations, including eBPF-based observability, check out our eBPF Observability: Building Custom Metrics with Hubble guide.

helm install cilium cilium/cilium --version 1.15.5 \
  --namespace kube-system \
  --set encryption.enabled=true \
  --set encryption.type=wireguard \
  --set ipam.mode=kubernetes \
  --set tunnel=vxlan \
  --set hubble.enabled=true \
  --set hubble.ui.enabled=true \
  --set l7proxy=false \
  --set kubeProxyReplacement=strict

Explanation of important flags:

  • --namespace kube-system: Installs Cilium into the kube-system namespace.
  • --set encryption.enabled=true: Activates the encryption feature in Cilium.
  • --set encryption.type=wireguard: Specifies WireGuard as the encryption backend.
  • --set ipam.mode=kubernetes: Delegates IP address management to Kubernetes.
  • --set tunnel=vxlan: Configures Cilium to use VXLAN for overlay networking. Other options include geneve or direct.
  • --set hubble.enabled=true and --set hubble.ui.enabled=true: Enables Hubble for network observability, which can be invaluable for troubleshooting.
  • --set l7proxy=false: Disables the L7 proxy (Envoy) for simplicity in this guide. Re-enable if you need L7 policies.
  • --set kubeProxyReplacement=strict: Replaces kube-proxy with an eBPF-based implementation for better performance and reduced complexity.

Verify:

Check that Cilium pods are running and healthy in the kube-system namespace. Wait for all pods to be in the Running state.

kubectl get pods -n kube-system -l k8s-app=cilium

Expected Output (similar to):

NAME            READY   STATUS    RESTARTS   AGE
cilium-xxxxx    1/1     Running   0          2m
cilium-yyyyy    1/1     Running   0          2m

3. Verify WireGuard Interfaces on Nodes

Once Cilium is deployed with WireGuard enabled, each Cilium agent pod will create a WireGuard interface on its respective node. This interface is responsible for establishing encrypted tunnels between nodes. We can inspect this from within a Cilium pod.

# Get the name of one of the Cilium agent pods
CILIUM_POD=$(kubectl get pods -n kube-system -l k8s-app=cilium -o jsonpath='{.items[0].metadata.name}')

# Execute 'ip link show wg0' inside the Cilium pod
kubectl -n kube-system exec $CILIUM_POD -- ip link show wg0

Explanation:

The command retrieves the name of a running Cilium pod and then executes ip link show wg0 inside its container. The wg0 interface is the WireGuard interface created by Cilium for encryption.

Verify:

The output should show details of the wg0 interface, confirming its existence and configuration.

# Expected Output (similar to):
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.0.0.1/32 scope host wg0
       valid_lft forever preferred_lft forever

You can also check the WireGuard configuration to see the peers (other nodes in the cluster).

kubectl -n kube-system exec $CILIUM_POD -- wg show wg0

Expected Output (similar to):

# Expected Output (similar to, showing connected peers):
interface: wg0
  public key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
  private key: (hidden)
  listening port: 51871

peer: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY=
  endpoint: 10.0.0.2:51871
  allowed ips: 10.0.0.2/32, 10.42.1.0/24
  latest handshake: 1 minute, 18 seconds ago
  transfer: 1.05 KiB received, 1.25 KiB sent

This output confirms that WireGuard is active and has established peer connections with other nodes in the cluster, facilitating encrypted communication.

4. Deploy Test Applications

To demonstrate and verify the encryption, we need a couple of applications that can communicate with each other. We’ll deploy two simple Nginx deployments and expose them via services. This will allow us to establish communication between pods on potentially different nodes.

# test-apps.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-a
  labels:
    app: app-a
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-a
  template:
    metadata:
      labels:
        app: app-a
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: app-a-service
spec:
  selector:
    app: app-a
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app-b
  labels:
    app: app-b
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app-b
  template:
    metadata:
      labels:
        app: app-b
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: app-b-service
spec:
  selector:
    app: app-b
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80

Apply these deployments and services to your cluster:

kubectl apply -f test-apps.yaml

Verify:

Ensure both deployments and services are running.

kubectl get pods -l app=app-a
kubectl get pods -l app=app-b
kubectl get svc app-a-service app-b-service

Expected Output:

NAME                     READY   STATUS    RESTARTS   AGE
app-a-xxxxxxxxx-yyyyy    1/1     Running   0          1m

NAME                     READY   STATUS    RESTARTS   AGE
app-b-zzzzzzzzz-wwwww    1/1     Running   0          1m

NAME            TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
app-a-service   ClusterIP   10.xx.xx.xx  <none>        80/TCP    1m
app-b-service   ClusterIP   10.yy.yy.yy  <none>        80/TCP    1m

5. Test Pod-to-Pod Connectivity and Encryption

Now, let’s verify that our applications can communicate and, more importantly, that the traffic between them is encrypted by WireGuard. We’ll use curl from one pod to another and then observe the network traffic on the host node.

5.1. Perform Connectivity Test

Get the name of an app-a pod and the ClusterIP of app-b-service, then curl from app-a to app-b.

APP_A_POD=$(kubectl get pods -l app=app-a -o jsonpath='{.items[0].metadata.name}')
APP_B_SERVICE_IP=$(kubectl get svc app-b-service -o jsonpath='{.spec.clusterIP}')

kubectl exec $APP_A_POD -- curl $APP_B_SERVICE_IP

Verify:

You should receive the default Nginx welcome page, confirming connectivity.

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...

5.2. Verify Encryption with tcpdump

This is the crucial step to confirm encryption. We’ll capture traffic on a node that hosts one of the pods (e.g., app-b) while traffic is being sent to it. We expect to see UDP traffic on the WireGuard port (default 51871) but no readable HTTP traffic between the nodes.

First, identify the node where app-b is running:

APP_B_POD=$(kubectl get pods -l app=app-b -o jsonpath='{.items[0].metadata.name}')
APP_B_NODE=$(kubectl get pod $APP_B_POD -o jsonpath='{.spec.nodeName}')
echo "App B pod is on node: $APP_B_NODE"

Now, SSH into $APP_B_NODE. You’ll need tcpdump installed on your node. If not, install it (e.g., sudo apt install tcpdump on Ubuntu, sudo yum install tcpdump on CentOS/RHEL).

On the node where app-b is running, start tcpdump to capture traffic on the WireGuard interface (wg0) and the underlying network interface (e.g., eth0 or your primary interface). Replace eth0 with your node’s primary network interface if it’s different.

# On the node where app-b is running (SSH into the node)
# Example: sudo tcpdump -i eth0 -n -s0 host  and not port 51871
# This command tries to capture unencrypted traffic *between nodes*
# If you see HTTP traffic here, encryption is NOT working between nodes.
sudo tcpdump -i eth0 -n -s0 host $(kubectl get pod $APP_A_POD -o jsonpath='{.status.hostIP}') and not port 51871 &

# Capture on wg0 to see encrypted traffic
sudo tcpdump -i wg0 -n -s0 port 51871 &

While tcpdump is running on the node, go back to your local machine and initiate traffic from app-a to app-b repeatedly:

# On your local machine (in a new terminal)
APP_A_POD=$(kubectl get pods -l app=app-a -o jsonpath='{.items[0].metadata.name}')
APP_B_SERVICE_IP=$(kubectl get svc app-b-service -o jsonpath='{.spec.clusterIP}')

for i in $(seq 1 5); do
  kubectl exec $APP_A_POD -- curl -s $APP_B_SERVICE_IP > /dev/null
  sleep 1
done

Go back to the node where tcpdump was running and stop it (Ctrl+C). Examine the output.

Expected Output:

You should see no HTTP traffic on eth0 or your primary interface between the node IPs. Instead, you should see UDP traffic on port 51871 on eth0, which is the WireGuard encapsulated traffic. On the wg0 interface, you’ll see the decrypted traffic (e.g., HTTP requests).

# Example tcpdump output on eth0 (or your primary interface)
# You should see UDP traffic on port 51871, but NO cleartext HTTP traffic between node IPs.
# This indicates WireGuard is encapsulating and encrypting.
# 10.0.0.1.51871 > 10.0.0.2.51871: UDP, length 120
# 10.0.0.2.51871 > 10.0.0.1.51871: UDP, length 120

If you see cleartext HTTP traffic between the node IPs on eth0, then WireGuard encryption is not working as expected. If you only see UDP traffic on port 51871 on eth0, and on wg0 you see the actual HTTP traffic, then congratulations, your pod-to-pod traffic is transparently encrypted!

This confirms that Cilium is successfully encrypting inter-node pod traffic using WireGuard. Intra-node traffic is typically handled by eBPF directly and does not pass through WireGuard, optimizing performance. For deeper insights into your network traffic, especially with Cilium, consider leveraging eBPF Observability: Building Custom Metrics with Hubble.

Production Considerations

While Cilium with WireGuard offers robust encryption, deploying it in production requires careful planning:

  1. Kernel Version: Ensure all your Kubernetes nodes are running a Linux kernel version 5.6 or newer. This provides native WireGuard support, leading to superior performance and stability. Older kernels might require DKMS modules, which can introduce maintenance overhead.
  2. Performance Overhead: While WireGuard is known for its high performance, encryption/decryption always adds some overhead. Benchmark your applications with and without encryption to understand the impact on latency and throughput. Cilium’s eBPF integration minimizes this, but it’s not zero.
  3. Key Management: Cilium automatically handles WireGuard key rotation and distribution. However, understand how it works and ensure your cluster’s control plane is secure, as compromised Kubernetes secrets could expose WireGuard keys.
  4. Monitoring and Observability: Integrate Cilium’s WireGuard metrics into your monitoring stack. Monitor WireGuard interface status, handshake times, and data transfer rates. Prometheus and Grafana are excellent choices here. Hubble (which we enabled) provides excellent visibility into network flows, which is crucial for encrypted environments.
  5. Network Policies: Encryption secures the communication channel, but network policies define who can talk to whom. Continue to implement robust Kubernetes Network Policies (enforced by Cilium) to enforce least-privilege access. Our Kubernetes Network Policies: Complete Security Hardening Guide offers comprehensive advice.
  6. Firewall Rules: Ensure your node firewalls (e.g., firewalld, ufw) allow UDP traffic on the WireGuard port (default 51871) between all nodes. If you’re running in a cloud environment, configure your VPC security groups or GCP firewall rules accordingly.
  7. IPAM Mode: The choice of IPAM mode (kubernetes or clusterPool) can affect how IP addresses are managed and how encryption integrates. For most standard setups, kubernetes is sufficient.
  8. Upgrades: Plan Cilium upgrades carefully. Always refer to the official Cilium upgrade documentation for compatibility notes and best practices, especially when dealing with encryption.
  9. Multi-Cloud/Hybrid Environments: For clusters spanning multiple cloud providers or on-premises data centers, ensure network connectivity between nodes is robust and that WireGuard tunnels can be established across these boundaries. This might involve additional routing or VPN solutions at a higher level.
  10. Alternative Encryption: Cilium also supports IPsec encryption. While WireGuard is generally preferred for its simplicity and performance, IPsec might be considered for specific compliance requirements or integration with existing IPsec infrastructure. Choose the type that best fits your needs. Our Cilium WireGuard Encryption for Pod-to-Pod Traffic post delves deeper into this.

Troubleshooting

Here are some common issues you might encounter and their solutions when working with Cilium WireGuard encryption:

  1. Issue: Cilium Pods Not Starting or Unhealthy

    Symptom: Cilium agent pods are stuck in Pending, CrashLoopBackOff, or Error states.

    Solution:

    • Check Logs: The first step is always to check the logs of the problematic Cilium pod. 
      kubectl logs -n kube-system cilium-<pod-name>
kubectl describe pod -n kube-system cilium-<pod-name>
    • Kernel Compatibility: Look for errors related to eBPF or WireGuard kernel modules. Ensure your kernel is 5.6+ or that wireguard-dkms is installed if on an older kernel.
    • Resource Limits: Ensure Cilium pods have sufficient CPU and memory.
    • kube-proxy Replacement Issues: If you enabled kubeProxyReplacement=strict, ensure there are no conflicts or that your Kubernetes version supports it fully.

  2. Issue: WireGuard Interface (wg0) Not Present on Nodes

    Symptom: Running kubectl -n kube-system exec cilium-<pod-name> -- ip link show wg0 yields “Device “wg0″ does not exist.”

    Solution:

    • Check Cilium Configuration: Verify that Cilium was installed with encryption.enabled=true and encryption.type=wireguard. If not, you’ll need to upgrade your Cilium installation using helm upgrade with the correct flags.
    • Cilium Agent Logs: Check Cilium agent logs for any errors related to WireGuard initialization.
    • Kernel Module: Ensure the WireGuard kernel module is loaded on the host. You can check with lsmod | grep wireguard on the node. If not, try sudo modprobe wireguard.

  3. Issue: Pod-to-Pod Communication Fails Across Nodes

    Symptom: Pods on different nodes cannot communicate, or connections time out, even if wg0 is present.

    Solution:

    • Firewall Rules: Verify that the WireGuard UDP port (default 51871) is open between all nodes in your network security groups or host firewalls.
    • Cilium Status: Check the overall health of Cilium: 
      cilium status --wait
    • Cilium Endpoint Status: Check the status of the endpoints for your pods: 
      cilium endpoint list
    • WireGuard Peers: Ensure each wg0 interface has established peers with other nodes. Run kubectl -n kube-system exec cilium-<pod-name> -- wg show wg0 and verify that all expected peer nodes are listed and have recent handshakes.
    • Routing Tables: Inside a Cilium pod, inspect the routing tables to ensure routes for other pod CIDRs point to the wg0 interface.

  4. Issue: Cleartext Traffic Observed Between Nodes (Encryption Not Working)

    Symptom: When running tcpdump on a node’s primary interface (e.g., eth0), you still see unencrypted HTTP or application traffic between node IPs for cross-node pod communication.

    Solution:

    • Recheck Cilium Installation: Double-check that encryption.enabled=true and encryption.type=wireguard were correctly applied during installation or upgrade.
    • Cilium Agent Logs: Look for warnings or errors related to encryption in the Cilium agent logs.
    • Cilium Status: Use cilium status to verify that “Encryption: WireGuard” is reported. 
      kubectl -n kube-system exec cilium-<pod-name> -- cilium status | grep Encryption
    • Policy Overrides: Ensure no network policies are inadvertently bypassing encryption or routing traffic incorrectly.
    • Kernel Modules: Confirm the WireGuard kernel module is correctly loaded and working.

  5. Issue: Performance Degradation After Enabling Encryption

    Symptom: Applications experience higher latency or lower throughput after enabling WireGuard encryption.

    Solution:

    • Kernel Version: Ensure all nodes are on Linux kernel 5.6+ for native WireGuard performance. Older kernels with DKMS can be slower.
    • CPU Resources: Encryption/decryption is CPU-intensive. Monitor CPU utilization on your nodes. If it’s consistently high, consider upgrading node types or scaling out.
    • MTU Settings: Incorrect MTU settings can lead to fragmentation and performance issues. Cilium usually handles this, but verify that the MTU on the wg0 interface is appropriate for your underlying network infrastructure (typically 1420 bytes for WireGuard over Ethernet).
    • Network Latency: High underlying network latency between nodes will be exacerbated by encryption overhead.
    • Benchmarking: Perform dedicated network benchmarks (e.g., using iperf3 between pods) to quantify the performance impact and identify bottlenecks.

  6. Issue: Hubble UI Not Showing Encrypted Flows

    Symptom: Hubble UI is enabled but doesn’t show expected network flows, or shows them as unencrypted when they should be.

    Solution:

    • Hubble Pod Status: Ensure all Hubble Relay and Hubble UI pods are running and healthy in the kube-system namespace.
    • Cilium Configuration: Verify that Hubble was enabled during Cilium installation (hubble.enabled=true, hubble.ui.enabled=true).
    • Firewall: Ensure that the Hubble Relay port (default 4245) is accessible from the Hubble UI pod.
    • Cilium Logs: Check Cilium agent logs for any issues related to exporting flow data to Hubble.
    • Network Policies: If you have strict network policies, ensure they allow traffic between Cilium agents and Hubble Relay, and from Hubble UI to Hubble Relay.

FAQ Section

  1. What is the difference between WireGuard and IPsec encryption in Cilium?

    WireGuard is a modern, simpler, and generally faster VPN protocol compared to IPsec. It has a smaller codebase, making it easier to audit and less prone to configuration errors. Cilium’s integration with WireGuard leverages its kernel-native implementation for high performance. IPsec is an older, more complex protocol that offers a wider range of algorithms and negotiation options. While Cilium supports both, WireGuard is typically recommended for its performance and ease of use. For a deeper dive into these options, see our Cilium WireGuard Encryption for Pod-to-Pod Traffic guide.

  2. Does Cilium encrypt all traffic, including intra-node pod communication?

    Cilium’s WireGuard encryption primarily targets inter-node pod-to-pod traffic. Traffic between pods on the same node is typically handled directly by eBPF without WireGuard encapsulation, as it doesn’t leave the host and is generally considered secure within the node’s boundaries. This design optimizes performance by avoiding unnecessary encryption overhead for intra-node communication.

  3. How does Cilium manage WireGuard keys?

    Cilium automatically handles the generation, distribution, and rotation of WireGuard keys. Each Cilium agent generates its own public/private key pair. Public keys are then exchanged securely between nodes, typically facilitated by the Kubernetes API server and stored as secrets. This automation simplifies key management significantly, removing the manual burden often associated with VPN setups. For enhanced security of your cluster’s secrets, consider tools like Secrets Store CSI Driver.

  4. Can I use Cilium WireGuard encryption with a service mesh like Istio?

    Yes, Cilium WireGuard encryption can coexist with service meshes like Istio. Cilium operates at the CNI layer (Layer 3/4), providing network encryption for all pod traffic regardless of application protocol. Istio, on the other hand, operates at the application layer (Layer 7) and provides mTLS encryption between services, along with traffic management and observability features. The two work complementarily: Cilium secures the underlying network, while Istio secures application-level communication. For more on Istio, check out our Istio Ambient Mesh Production Guide.

  5. What is the performance impact of using WireGuard encryption with Cilium?

    WireGuard is designed to be extremely lightweight

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *