github.com/imran-kn/cilium-fork@v1.6.9/Documentation/gettingstarted/encryption.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 http://docs.cilium.io 6 7 .. _encryption: 8 9 ***************************** 10 Transparent Encryption (beta) 11 ***************************** 12 13 This guide explains how to configure Cilium to use IPsec based transparent 14 encryption using Kubernetes secrets to distribute the IPsec keys. After this 15 configuration is complete all traffic between Cilium 16 managed endpoints, as well as Cilium managed host traffic, will be encrypted 17 using IPsec. This guide uses Kubernetes secrets to distribute keys. Alternatively, 18 keys may be manually distributed but that is not shown here. 19 20 .. note:: 21 22 This is a beta feature. Please provide feedback and file a GitHub issue 23 if you experience any problems. 24 25 Generate & import the PSK 26 ========================= 27 28 First create a Kubernetes secret for the IPsec keys to be stored. 29 This will generate the necessary IPsec keys which will be distributed as a 30 Kubernetes secret called ``cilium-ipsec-keys``. In this example we use 31 GMC-128-AES, but any of the supported 32 Linux algorithms may be used. To generate use the following 33 34 .. parsed-literal:: 35 36 $ kubectl create -n kube-system secret generic cilium-ipsec-keys \\ 37 --from-literal=keys="3 rfc4106(gcm(aes)) $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null| xxd -p -c 64)) 128" 38 39 The secret can be displayed with ``kubectl -n kube-system get secret`` and will be 40 listed as 'cilium-ipsec-keys'. 41 42 .. parsed-literal:: 43 $ kubectl -n kube-system get secrets cilium-ipsec-keys 44 NAME TYPE DATA AGE 45 cilium-ipsec-keys Opaque 1 176m 46 47 Enable Encryption in Cilium 48 =========================== 49 50 .. include:: k8s-install-download-release.rst 51 52 Generate the required YAML files and deploy them: 53 54 .. code:: bash 55 56 helm template cilium \ 57 --namespace cilium \ 58 --set global.encryption.enabled=true \ 59 --set global.encryption.nodeEncryption=false \ 60 > cilium.yaml 61 62 Encryption interface 63 -------------------- 64 65 If direct routing is being used an additional argument can be used to identify the 66 network facing interface. If no interface is specified the default route link is 67 chosen by inspecting the routing tables. This will work in many cases but depending 68 on routing rules users may need to specify the encryption interface as follows: 69 70 .. code:: bash 71 72 --set global.encryption.interface=ethX 73 74 Node to node encryption 75 ----------------------- 76 77 In order to enable node-to-node encryption, add: 78 79 .. code:: bash 80 81 [...] 82 --set global.encryption.enabled=true \ 83 --set global.encryption.nodeEncryption=true 84 85 Deploy Cilium 86 ------------- 87 88 .. code:: bash 89 90 kubectl create -f cilium.yaml 91 92 At this point the Cilium managed nodes will be using IPsec for all traffic. For further 93 information on Cilium's transparent encryption, see :ref:`arch_guide`. 94 95 Validate the Setup 96 ================== 97 98 Run a ``bash`` shell in one of the Cilium pods with ``kubectl -n kube-system 99 exec -ti cilium-7cpsm -- bash`` and execute the following commands: 100 101 1. Install tcpdump 102 103 .. code:: bash 104 105 apt-get update 106 apt-get -y install tcpdump 107 108 2. Check that traffic is encrypted: 109 110 .. code:: bash 111 112 tcpdump -n -i cilium_vxlan 113 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 114 listening on cilium_vxlan, link-type EN10MB (Ethernet), capture size 262144 bytes 115 15:16:21.626416 IP 10.60.1.1 > 10.60.0.1: ESP(spi=0x00000001,seq=0x57e2), length 180 116 15:16:21.626473 IP 10.60.1.1 > 10.60.0.1: ESP(spi=0x00000001,seq=0x57e3), length 180 117 15:16:21.627167 IP 10.60.0.1 > 10.60.1.1: ESP(spi=0x00000001,seq=0x579d), length 100 118 15:16:21.627296 IP 10.60.0.1 > 10.60.1.1: ESP(spi=0x00000001,seq=0x579e), length 100 119 15:16:21.627523 IP 10.60.0.1 > 10.60.1.1: ESP(spi=0x00000001,seq=0x579f), length 180 120 15:16:21.627699 IP 10.60.1.1 > 10.60.0.1: ESP(spi=0x00000001,seq=0x57e4), length 100 121 15:16:21.628408 IP 10.60.1.1 > 10.60.0.1: ESP(spi=0x00000001,seq=0x57e5), length 100 122 123 Key Rotation 124 ============ 125 126 To replace cilium-ipsec-keys secret with a new keys, 127 128 .. code-block:: shell-session 129 130 KEYID=$(kubectl get secret -n cilium cilium-ipsec-keys -o yaml|grep keys: | awk '{print $2}' | base64 -d | awk '{print $1}') 131 if [[ $KEYID -gt 15 ]]; then KEYID=0; fi 132 data=$(echo "{\"stringData\":{\"keys\":\"$((($KEYID+1))) "rfc4106\(gcm\(aes\)\)" $(echo $(dd if=/dev/urandom count=20 bs=1 2> /dev/null| xxd -p -c 64)) 128\"}}") 133 kubectl patch secret -n cilium cilium-ipsec-keys -p="${data}" -v=1 134 135 Then restart cilium agents to transition to the new key. During transition the 136 new and old keys will be in use. The cilium agent keeps per endpoint data on 137 which key is used by each endpoint and will use the correct key if either side 138 has not yet been updated. In this way encryption will work as new keys are 139 rolled out. 140 141 The KEYID environment variable in the above example stores the current key ID 142 used by Cilium. The key variable is a uint8 with value between 0-16 and should 143 be monotonically increasing every re-key with a rollover from 16 to 0. The 144 cilium agent will default to KEYID of zero if its not specified in the secret. 145 146 Troubleshooting 147 =============== 148 149 * Make sure that the Cilium pods have kvstore connectivity: 150 151 .. code:: bash 152 153 cilium status 154 KVStore: Ok etcd: 1/1 connected: http://127.0.0.1:31079 - 3.3.2 (Leader) 155 [...] 156 157 * Check for ``level=warning`` and ``level=error`` messages in the Cilium log files 158 * Run a ``bash`` in a Cilium and validate the following: 159 160 * Routing rules matching on fwmark: 161 162 .. code:: bash 163 164 ip rule list 165 1: from all fwmark 0xd00/0xf00 lookup 200 166 1: from all fwmark 0xe00/0xf00 lookup 200 167 [...] 168 169 * Content of routing table 200 170 171 .. code:: bash 172 173 ip route list table 200 174 local 10.60.0.0/24 dev cilium_vxlan proto 50 scope host 175 10.60.1.0/24 via 10.60.0.1 dev cilium_host 176 177 * XFRM policy: 178 179 .. code:: bash 180 181 ip xfrm p 182 src 10.60.1.1/24 dst 10.60.0.1/24 183 dir fwd priority 0 184 mark 0xd00/0xf00 185 tmpl src 10.60.1.1 dst 10.60.0.1 186 proto esp spi 0x00000001 reqid 1 mode tunnel 187 src 10.60.1.1/24 dst 10.60.0.1/24 188 dir in priority 0 189 mark 0xd00/0xf00 190 tmpl src 10.60.1.1 dst 10.60.0.1 191 proto esp spi 0x00000001 reqid 1 mode tunnel 192 src 10.60.0.1/24 dst 10.60.1.1/24 193 dir out priority 0 194 mark 0xe00/0xf00 195 tmpl src 10.60.0.1 dst 10.60.1.1 196 proto esp spi 0x00000001 reqid 1 mode tunnel 197 198 * XFRM state: 199 200 .. code:: bash 201 202 ip xfrm s 203 src 10.60.0.1 dst 10.60.1.1 204 proto esp spi 0x00000001 reqid 1 mode tunnel 205 replay-window 0 206 auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96 207 enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 208 anti-replay context: seq 0x0, oseq 0xe0c0, bitmap 0x00000000 209 sel src 0.0.0.0/0 dst 0.0.0.0/0 210 src 10.60.1.1 dst 10.60.0.1 211 proto esp spi 0x00000001 reqid 1 mode tunnel 212 replay-window 0 213 auth-trunc hmac(sha256) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 96 214 enc cbc(aes) 0x6162636465666768696a6b6c6d6e6f70717273747576777a797a414243444546 215 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 216 sel src 0.0.0.0/0 dst 0.0.0.0/0 217 218 Disabling Encryption 219 ==================== 220 221 To disable the encryption, regenerate the YAML with the option 222 ``global.encryption.enabled=false``