CIlium node-to-node encryption

2025-10-30 01:52:18 +00:00 · 2022-01-31 22:19:11 +02:00
parent cfd9468a9a
commit 7da6cafbe9
4 changed files with 11 additions and 3 deletions
--- a/scaleway/deployments/cilium.yaml
+++ b/scaleway/deployments/cilium.yaml
@@ -21,7 +21,11 @@ healthChecking: true

 tunnel: "vxlan"
 autoDirectNodeRoutes: false
-# devices: [eth0]
+devices: [eth0,eth1]
+
+encryption:
+  enabled: true
+  type: wireguard

 cni:
  install: true
--- a/scaleway/deployments/cilium_result.yaml
+++ b/scaleway/deployments/cilium_result.yaml
@@ -132,6 +132,7 @@ data:
  enable-ipv4-masquerade: "true"
  enable-ipv6-masquerade: "true"
  enable-bpf-masquerade: "false"
+  enable-wireguard: "true"

  enable-xt-socket-fallback: "true"
  install-iptables-rules: "true"
@@ -141,6 +142,9 @@ data:
  enable-bandwidth-manager: "false"
  enable-local-redirect-policy: "true"
  enable-host-firewall: "true"
+  # List of devices used to attach bpf_host.o (implements BPF NodePort,
+  # host-firewall and BPF masquerading)
+  devices: "eth0 eth1"

  kube-proxy-replacement:  "strict"
  kube-proxy-replacement-healthz-bind-address: ""
--- a/scaleway/templates/controlplane.yaml.tpl
+++ b/scaleway/templates/controlplane.yaml.tpl
@@ -34,7 +34,7 @@ machine:
      - 1.1.1.1
      - 8.8.8.8
    kubespan:
-      enabled: true
+      enabled: false
      allowDownPeerBypass: true
  install:
    wipe: false
--- a/scaleway/templates/web.yaml.tpl
+++ b/scaleway/templates/web.yaml.tpl
@@ -30,7 +30,7 @@ machine:
          - 169.254.2.53/32
          - fd00::169:254:2:53/128
    kubespan:
-      enabled: true
+      enabled: false
      allowDownPeerBypass: true
  install:
    wipe: true