Help me build a guide to deploy Rancher 2.0 in a secure way


#1

Problem I try to solve

When deploying rancher outside of AWS, GCP or other cloud provider, nothing is secure by default:

  • no VPC means that inter host communication is unencrypted and without authentication
  • no firewall means that etcd, k8s controller are exposed to external world

Solutions that already exists

  • Igor Cicimov write a 8 articles series about how to securely deploy k8s (wireguard, flannel)
  • Patrick Stadler write and maintain a repo how to install securely k8s (wireguard, weave, firewall rules)

Why they are not enough

  • They use external etcd, external kubelet which make the installation way harder that what currently exists
  • They don’t help securing canal (one use weave, the other flannel but none helps routing the calicopart through the vpn interace)
  • The default firewall rules are not compatible with rancher (agent cannot connect to rancher)

What I want

I want a guide that:

  • setup wireguard to 10.0.1.0/24
  • setup ufw / nftables to securly protect the nodes
  • use rke to deploy k8s
  • use canal (new default in rke)
  • use ip to create route so internal communication goes through wireguard

Plan to go forward

  • If you have some external ressource not linked that are relevant, you comment with then and I add them to the main post
  • We agree on a CNI provider : canal ?
  • We agree on the firewall rules / ip routes that need to be done to securely
  • I write a guid similar to https://github.com/hobby-kube/guide

Alternatives

?


#2

I would love for this guide to materialize.

I am trying to setup Rancher Server 2.x with Etcd & Control roles in the cloud (Digital Ocean Droplet) connected to remote office(s) over OpenVPN where the worker nodes are located. Thus, the communication between Rancher Server host and workers would be over VPN. But so far, I am having some issues with the websocket connection from the worker to the Rancher Server, even though I can ping both ping both ends over VPN.