Calico Integration with WireGuard Using kOps

It has been a while since I have been excited to write about encrypted tunnels. It might be the sheer pain of troubleshooting old technologies or countless hours of falling down the rabbit hole of a project’s source code that always motivated me to pursue a better alternative — without much luck. However, I believe luck is finally on my side.

In this blog post, we will explore using open source WireGuard, a new technology that offers encrypted tunnels with remarkable performance and an effortless implementation, to establish secure encrypted tunnels between workloads in Kubernetes clusters.

Introduction: WireGuard

With the release of open source Calico 3.14 in June of 2020, Tigera announced a tech preview of its WireGuard integration, which allows node-to-node traffic to be encrypted using WireGuard.

Other encryption methods such as TLS were available to encrypt workloads’ traffic at higher TCP/IP layers, in this case, the application layer. However, WireGuard targets traffic at a lower layer, the transport layer, which makes it effective for a wider range of applications, and also reduces complexity for the user.

WireGuard is an open source project that implements virtual private network (VPN) techniques to establish secure point-to-point connections using Linux kernel capabilities. It aims to be faster, simpler and leaner than previous technologies. With only around 4,000 lines of code, WireGuard source code is also easier to audit.

WireGuard is designed to be extended by third-party programmers and scripts, which makes the project more valuable to the community. In terms of logging and dynamic firewall updates, this can be a great factor for its adoption.

However, our focus will be on kOps’s new release, which enables easy implementation of Calico and WireGuard in self-managed K8s clusters.

Let’s start by exploring some performance metrics.

Performance

Before we dive into numbers, it is worth mentioning that benchmark results are heavily influenced by the test environment. For this test, we used a K8s cluster with three nodes using t3.medium ec2 instances from AWS, with 5Gbps burstable network bandwidth. (You can view t3 tier details at this link.)

WireGuard’s remarkable performance in comparison to older technologies is one of the main reasons behind its integration into Calico. Combined with Calico’s eBPF data plane, WireGuard was able to use, on average, 73% of the 5Gbps bandwidth link to send encrypted traffic to another node.

The following figure showing network throughput shows the Calico eBPF data plane with different settings.

Network throughput (higher is better)

In cryptography, encryption and decryption are the essential building blocks of secure communication. Due to the resource-intensive nature of these procedures, there can be a huge toll on the amount of available resources in a busy cluster. WireGuard was written with a modern approach to cryptography in order to deliver better performance and a softer grip on resources, resulting in more data throughput at higher speed.

The following figure shows an estimate of how much vCPU would be required to transmit 10Gbps of data in each scenario.

Total vCPU per 10Gbps (lower is better)

It is worth noting that the performance test was conducted without any tuning, and there are various ways to boost these figures depending on the environment.

Tigera provides the industry’s only active security platform with full-stack observability for containers and Kubernetes. Tigera’s platform, delivered as a fully-managed SaaS or self-managed service, prevents, detects, troubleshoots, and automatically mitigates exposure risks of security breaches.

Learn More

The latest from Tigera

Demo

Before We Begin

This blog post assumes that you have a running, self-managed Kubernetes cluster named “demo.k8s.local” deployed with kOps version 1.19.1 or higher. If you would like to know more about how to deploy such a cluster, see this article.

WireGuard Preparation

Execute the following command to launch the editor:

Add the following line under the Calico parameters in the networking section:

Configuration should look similar to this:

Save the configuration and exit the editor.

Updating the Cluster

kOps uses a state store approach to save cluster configurations. From the moment a self-managed cluster is created, all configurations and manifests are stored in a specific location, AWS S3 bucket in this instance. It is worth noting that kOps requires you to apply configuration to create or make changes.

Apply the configuration change by executing this command:

That’s it, node-to-node traffic is now encrypted.

Verify

To run WireGuard, Calico injects a WireguardPublicKey into the node manifest. WireGuard then uses this public key to establish secure tunnels.

It is possible to query this value to determine whether WireGuard is successfully configured in your cluster.

To do so, execute the following command:

You should see a result similar to:

Conclusion

As we have established in this blog post, Calico offers an effortless way to set up secure communication in a Kubernetes cluster using open source WireGuard. This latest kOps release provides an effortless install path while providing an incredibly powerful and compelling feature for your K8s cluster: networking that is lightweight, low maintenance, highly performant and secure.

Did you know you can become a certified Calico operator? Learn Kubernetes networking and security fundamentals using Calico in this free, self-paced certification course.

If you enjoyed this post, you might also like:

• Calico community meeting: Demonstration of WireGuard encryption
• In-cluster encryption documentation
• Getting started with Calico network policy
• Free, online webinars, workshops, and resources
• Learn about Calico Cloud
• WireGuard technical whitepaper

Reza Ramezanpour is a developer advocate at Tigera, working to promote adoption of Project Calico. Before joining Tigera, Reza worked as a systems engineer and network administrator.

Read more from Reza Ramezanpour