Problem I try to solve
When deploying rancher outside of AWS, GCP or other cloud provider, nothing is secure by default:
- no VPC means that inter host communication is unencrypted and without authentication
- no firewall means that etcd, k8s controller are exposed to external world
Solutions that already exists
- Igor Cicimov write a 8 articles series about how to securely deploy k8s (wireguard, flannel)
- Patrick Stadler write and maintain a repo how to install securely k8s (wireguard, weave, firewall rules)
Why they are not enough
- They use external etcd, external kubelet which make the installation way harder that what currently exists
- They don’t help securing
canal(one useweave, the otherflannelbut none helps routing thecalicopart through the vpn interace) - The default firewall rules are not compatible with rancher (agent cannot connect to rancher)
What I want
I want a guide that:
- setup wireguard to
10.0.1.0/24 - setup ufw / nftables to securly protect the nodes
- use rke to deploy k8s
- use
canal(new default in rke) - use
ipto create route so internal communication goes through wireguard
Plan to go forward
- If you have some external ressource not linked that are relevant, you comment with then and I add them to the main post
- We agree on a CNI provider : canal ?
- We agree on the firewall rules / ip routes that need to be done to securely
- I write a guid similar to GitHub - hobby-kube/guide: Kubernetes clusters for the hobbyist.
Alternatives
?