Question: How can we secure VXLAN on a bare metal provider? #777
Comments
alexellis
changed the title
|
In general you will want to open up That will allow a single node install to work. Then you will want to allow communications between nodes for multi-node installs. This will depend on each system but for my vagrant setup it is something like That would allow Now it is up to you to Hope that helps as a starting point, this should probably be documented at https://rancher.com/docs/k3s/latest/en/running/ maybe with commands for firewalld |
|
I am also working on setting up ipsec and wireguard backends for flannel, so encrypted networking will be provided by default in the not too distant future. |
|
I found that when using Docker, the |
|
I tried this setup without docker on alpine and it worked, not sure what docker would be doing that is special. We can see from #776 that |
|
Various articles like: https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html I will try this on Packet to try to confirm if it's an issue with CNI and containerd. |
|
Yuck. I am not sure how effective k3s is with |
|
iptables and docker interactions are a docker thing, as this isn't docker it'll come down to how k3s interacts with iptables. Docker has params to disable iptables interaction as per the docs https://docs.docker.com/network/iptables/ |
|
@SoreGums What about the What happens on Kubernetes, when iptables is disabled? It doesn't sound like a good idea, but I don't have enough information to say for sure. |
|
Yep. k3s is not docker but it does use containerd which docker uses also. There are other ways to route traffic besides iptables, but k3s uses an iptables based approach. |
If that's the case, then what happens when I install with the https://rancher.com/docs/k3s/latest/en/installation/
|
|
Yeah, that is correct we connect to the docker socket instead of creating a containerd instance and connecting to that. Running docker without iptables essentially means it will not alter the iptables rules but provides no other mechanism for routing, so you are basically forced to create your own rules from what I understand. I am not sure if the KUBE- rules are enough for routing in that case. It does appear that starting |
|
It appears any of the ports which are exposed in kubernetes through the load balancer will bypass the firewall. This is because we insert into the beginning of the iptables list. https://github.com/rancher/klipper-lb/blob/master/entry It seems like using iptables based firewalls is a bad idea for this reason, unfortunately I don't know of a good alternative tho. |
|
Sorry, looking closer it appears klipper-lb doesn't really have anything to do with this, the iptables it is applying should only be used in that container. Anyhow, most firewalls should only be concerned about filtering, and most programs should only care about routing, but with iptables we get to throw them together and watch them compete. A firewall definitely should not let stuff silently bypass it tho, sort of defeats the purpose. |
|
I would assume |
|
Would it be possible to use wireguard and tell k3s to only use the wireguard interface for internal stuff? Would it be possible to use the lo interface for the same purpose in a single node setup? |
Most of these bare-metal providers give a public and private IP range, so could |
|
See the note here on "Open ports / Network security"
|
|
Sometimes you do not have an external firewall in an edge case or on a cheap vps. It would be coold if k3s could just limit on which interfaces (like only the wireguard) ist listens... |
|
Closing due to age. On Slack, there was discussion about using wireguard instead of vxlan in environments that don't offer external firewalling. |
Is your feature request related to a problem? Please describe.
Question
Describe the solution you'd like
How can we secure VXLAN on a bare metal provider?
Describe alternatives you've considered
I tried
ufwwhen using Docker (not k3s) and it didn't work because the iptables rules clashed with uff which also uses iptables, in affect I'd blocked all traffic, but for port 22, but this was ignored.Additional context
Unable to safely run k3s without a proper set of working firewall rules on clouds where "security groups" are unavailable, think of Packet as an example of that.
The text was updated successfully, but these errors were encountered: