Skip to content

Commit

Permalink
chore: Update based on feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
bryantbiggs committed Oct 4, 2023
1 parent 696203b commit 143ea9d
Show file tree
Hide file tree
Showing 5 changed files with 93 additions and 112 deletions.
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ repos:
- id: detect-aws-credentials
args: ['--allow-missing-credentials']
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.83.2
rev: v1.83.4
hooks:
- id: terraform_fmt
- id: terraform_docs
Expand Down
52 changes: 33 additions & 19 deletions patterns/wireguard-with-cilium/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,31 @@ This pattern demonstrates Cilium configured in CNI chaining mode with the VPC CN
- [Cilium CNI Chaining Documentation](https://docs.cilium.io/en/stable/installation/cni-chaining-aws-cni/)
- [Cilium Wireguard Encryption Documentation](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/)

## Areas of Interest
## Focal Points

- `eks.tf` contains the cluster configuration and the deployment of Cilium.
- There are no specific requirements from an EKS perspective, other than the Linux Kernel version used by the OS must be 5.10+.
On Amazon EKS, this is available starting with EKS 1.24, or users can utilize the Bottlerocket OS for EKS < 1.23
- `sample.tf` provides a sample application used to demonstrate the encrypted connectivity. This is optional and not required for the pattern.
- There are no specific requirements from an EKS perspective, other than the Linux Kernel version used by the OS must be 5.10+
- `example.yaml` provides a sample application used to demonstrate the encrypted connectivity. This is optional and not required for the pattern.

## Deploy

See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.

## Validate

1. Get the Cilium status from one of the Cilium pods.
1. Deploy the example pods:

```sh
kubectl apply -f example.yaml
```

```text
pod/server created
service/server created
pod/client created
```

2. Get the Cilium status from one of the Cilium pods.

Under the `Encryption` field, it should state `Wireguard` with a PubKey.
`NodeEncryption: Disabled` is expected since `NodeEncryption` was not enabled
Expand All @@ -31,42 +42,42 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started
```text
Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
KVStore: Ok Disabled
Kubernetes: Ok 1.27+ (v1.27.4-eks-2d98532) [linux/amd64]
Kubernetes: Ok 1.28+ (v1.28.1-eks-43840fb) [linux/amd64]
Kubernetes APIs: ["EndpointSliceOrEndpoint", "cilium/v2::CiliumClusterwideNetworkPolicy", "cilium/v2::CiliumEndpoint", "cilium/v2::CiliumNetworkPolicy", "cilium/v2::CiliumNode", "cilium/v2alpha1::CiliumCIDRGroup", "core/v1::Namespace", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"]
KubeProxyReplacement: False [eth0 10.0.45.128 (Direct Routing), eth1 10.0.40.206]
KubeProxyReplacement: False [eth0 10.0.21.109 (Direct Routing), eth1 10.0.27.0]
Host firewall: Disabled
CNI Chaining: aws-cni
Cilium: Ok 1.14.1 (v1.14.1-c191ef6f)
Cilium: Ok 1.14.2 (v1.14.2-a6748946)
NodeMonitor: Listening for events on 2 CPUs with 64x4096 of shared memory
Cilium health daemon: Ok
IPAM: IPv4: 1/254 allocated from 10.0.1.0/24,
Cilium health daemon: Ok
IPAM: IPv4: 1/254 allocated from 10.0.0.0/24,
IPv4 BIG TCP: Disabled
IPv6 BIG TCP: Disabled
BandwidthManager: Disabled
Host Routing: Legacy
Masquerading: Disabled
Controller Status: 20/20 healthy
Controller Status: 24/24 healthy
Proxy Status: No managed proxy redirect
Global Identity Range: min 256, max 65535
Hubble: Ok Current/Max Flows: 4095/4095 (100.00%), Flows/s: 1.58 Metrics: Disabled
Encryption: Wireguard [NodeEncryption: Disabled, cilium_wg0 (Pubkey: Es25c2idJtRzE0/FKAOvKPJ7ybRmZ23KrufK3HOuZTY=, Port: 51871, Peers: 1)]
Hubble: Ok Current/Max Flows: 410/4095 (10.01%), Flows/s: 1.59 Metrics: Disabled
Encryption: Wireguard [NodeEncryption: Disabled, cilium_wg0 (Pubkey: /yuqsZyG91AzVIkZ3AIq8qjQ0gGKQd6GWcRYh4LYpko=, Port: 51871, Peers: 1)]
Cluster health: Probe disabled
```

2. Open a shell inside the cilium container
3. Open a shell inside the cilium container

```sh
kubectl -n kube-system exec -ti ds/cilium -- bash
```

3. Install [`tcpdump`](https://www.tcpdump.org/)
4. Install [`tcpdump`](https://www.tcpdump.org/)

```sh
apt-get update
apt-get install -y tcpdump
```

4. Start a packet capture on `cilium_wg0` and verify you see payload in clear text, it means the traffic is encrypted with wireguard
5. Start a packet capture on `cilium_wg0` and verify you see payload in clear text, it means the traffic is encrypted with wireguard

```sh
tcpdump -A -c 40 -i cilium_wg0 | grep "Welcome to nginx!"
Expand All @@ -82,7 +93,10 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started
0 packets dropped by kernel
```

5. Deploy the Cilium connectivity resources to check and evaluate connectivity:
!!! info "Exit"
Exit the container shell by typing `exit` before continuing to next step

6. Deploy the Cilium connectivity resources to check and evaluate connectivity:

```sh
kubectl create ns cilium-test
Expand Down Expand Up @@ -113,10 +127,10 @@ See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started
ciliumnetworkpolicy.cilium.io/pod-to-external-fqdn-allow-google-cnp created
```

6. View the logs of any of the connectivity tests to view the results:
7. View the logs of any of the connectivity tests to view the results:

```sh
kubectl logs echo-a-6575c98b7d-xknsv -n cilium-test
kubectl logs <cilium test pod> -n cilium-test
```

```text
Expand Down
14 changes: 5 additions & 9 deletions patterns/wireguard-with-cilium/eks.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ module "eks" {
version = "~> 19.16"

cluster_name = local.name
cluster_version = "1.27"
cluster_version = "1.28"
cluster_endpoint_public_access = true

# EKS Addons
Expand All @@ -23,16 +23,12 @@ module "eks" {
eks_managed_node_groups = {
initial = {
instance_types = ["m5.large"]
# Cilium Wireguard requires Linux Kernel 5.10 or above.
# For EKS 1.24 and above, the AMI the Kernel version is 5.10
# For EKS 1.23 and below, you need to use Bottlerocket OS. For example:
# ami_type = "BOTTLEROCKET_x86_64"
# platform = "bottlerocket"
min_size = 1
max_size = 3
desired_size = 2
min_size = 1
max_size = 3
desired_size = 2
}
}

# Extend node-to-node security group rules
node_security_group_additional_rules = {
# Cilium Wireguard Port https://github.com/cilium/cilium/blob/main/Documentation/security/network/encryption-wireguard.rst
Expand Down
54 changes: 54 additions & 0 deletions patterns/wireguard-with-cilium/example.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
---
apiVersion: v1
kind: Pod
metadata:
name: server
labels:
blog: wireguard
name: server
spec:
containers:
- name: server
image: nginx
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
blog: wireguard
---
apiVersion: v1
kind: Service
metadata:
name: server
spec:
selector:
name: server
ports:
- port: 80
sessionAffinity: ClientIP
sessionAffinityConfig:
clientIP:
timeoutSeconds: 600
---
apiVersion: v1
kind: Pod
metadata:
name: client
labels:
blog: wireguard
name: client
spec:
containers:
- name: client
image: busybox
command: ["watch", "wget", "server"]
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
blog: wireguard
---
83 changes: 0 additions & 83 deletions patterns/wireguard-with-cilium/sample.tf

This file was deleted.

0 comments on commit 143ea9d

Please sign in to comment.