Help me build a guide to deploy Rancher 2.0 in a secure way

tychota · April 7, 2018, 12:14pm

Problem I try to solve

When deploying rancher outside of AWS, GCP or other cloud provider, nothing is secure by default:

no VPC means that inter host communication is unencrypted and without authentication
no firewall means that etcd, k8s controller are exposed to external world

Solutions that already exists

Igor Cicimov write a 8 articles series about how to securely deploy k8s (wireguard, flannel)

Patrick Stadler write and maintain a repo how to install securely k8s (wireguard, weave, firewall rules)

Why they are not enough

They use external etcd, external kubelet which make the installation way harder that what currently exists
They don’t help securing canal (one use weave, the other flannel but none helps routing the calicopart through the vpn interace)
The default firewall rules are not compatible with rancher (agent cannot connect to rancher)

What I want

I want a guide that:

setup wireguard to 10.0.1.0/24
setup ufw / nftables to securly protect the nodes
use rke to deploy k8s
use canal (new default in rke)
use ip to create route so internal communication goes through wireguard

Plan to go forward

If you have some external ressource not linked that are relevant, you comment with then and I add them to the main post
We agree on a CNI provider : canal ?
We agree on the firewall rules / ip routes that need to be done to securely
I write a guid similar to GitHub - hobby-kube/guide: Kubernetes clusters for the hobbyist.

Alternatives

?

verrol · July 6, 2018, 12:41am

I would love for this guide to materialize.

I am trying to setup Rancher Server 2.x with Etcd & Control roles in the cloud (Digital Ocean Droplet) connected to remote office(s) over OpenVPN where the worker nodes are located. Thus, the communication between Rancher Server host and workers would be over VPN. But so far, I am having some issues with the websocket connection from the worker to the Rancher Server, even though I can ping both ping both ends over VPN.

segator · February 21, 2019, 8:52am

I achieved in the past what you said with rancher kube 1.12 (calico network) over zeroTier
But I wanted to reinstall to write the full script and I dont know why but I wont be able to install it again…
Anyway wireguard have better performance than zerotier so waitting to the guide.

Topic		Replies	Views
How Secure is a cluster set up with Rancher? Rancher	11	2631	August 1, 2019
Rancher on Bare-Metal Servers = Is it secure by default? Rancher	4	845	December 10, 2019
Private network without IPSec overlay Rancher 1.x	3	1589	April 27, 2017
Private network for rancher-kubernetes nodes? Rancher	0	600	July 18, 2018
How do I get started with Rancher2 Rancher	4	1011	January 3, 2019