Calico and Wireguard

Introducing WireGuard Encryption with Calico

Calico is well known as a Container Network Interface (CNI) that offers connectivity and security for container workloads by using standard Linux tools. Calico’s best-known security feature is an implementation of Kubernetes Network Policies, which provides a way to secure container workloads by restricting traffic to and from trusted sources. While the source of traffic can be controlled, without encryption the traffic itself is vulnerable to interception. A common solution is to encrypt traffic at the application layer using protocols like Transport Layer Security (TLS), but it’s also possible to encrypt traffic at a lower infrastructure level using protocols like IPSec.

IPSec has shipped as a standard option in the Linux kernel for a long time, but it introduces a layer of management complexity for setting up and maintaining secure network connections. WireGuard is a kernel alternative to IPSec that aims to “be  faster, simpler, leaner, and more useful.” It’s always been possible to run Calico on top of an IPSec enabled network that you are managing yourself, but the 3.14 release of Project Calico introduced a new tech-preview of Calico managed encryption backed by Wireguard.

This article will guide you through how to enable WireGuard support in Calico, demonstrating how simple it is to enable and disable low level encryption with minimal effort.

To begin, you will need a Kubernetes cluster with WireGuard installed on the host operating system. A complete list of supported operating systems and installation instructions can be found on the WireGuard website. Note that after you install WireGuard, you may need to reboot your machines to make the required kernel modules available.

For the tech preview in Calico 3.14, Calico needs to be installed and configured to not use an overlay network. Calico 3.15 will lift this restriction with support for WireGuard in Calico VXLAN and IPIP overlay networks. 

With all of these prerequisites met, you can enable WireGuard encryption.

calicoctl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'

You can check to see if WireGuard is enabled by inspecting the nodes:

calicoctl get node -o yaml

If successfully configured, each node should contain a field with a WireGuard public key:

...
 status:
   ..
   wireguardPublicKey: jlkVyQYooZYzI2wFfNhSZez5eWh44yfq1wKVjLvSXgY=
   ...

That’s it! With the basic prerequisites met, and a simple change to the Felix configuration, you’ve enabled encryption for all on-the-wire pod-to-pod traffic.

It’s worth noting that enabling encryption for all network traffic comes with a performance penalty. We can demonstrate this using IPerf, which we can run on our cluster using the kubernetes-iperf3 project. It’s easy to download and run:

git clone https://github.com/Pharb/kubernetes-iperf3
cd kubernetes-iperf3
./iperf3.sh

This will deploy an iperf3 server to one of your nodes, a client to every node, then check the performance between the server and clients for every node, including the master. For example, in a three node cluster running Ubuntu 20.04 on virtual machine hosts, iperf3 measured on average 3.74 Gbits/sec throughput between the client and server pods. Compare to a connection with WireGuard enabled, which has a throughput of 611 Mbits/sec on average. Keep in mind that performance metrics are highly dependent on the test setup, and may vary depending on your configuration. The WireGuard performance documentation covers benchmarking in more depth.

If your network security requires that all traffic on your cluster be encrypted, Calico offers an easy to install and use method with WireGuard. It gives you another tool in your security toolbox. Try it out, and let us know how it works! With your feedback from this tech preview we can continue to improve this new feature.

Project Calico is supported by a community of developers and users. You can join the community and connect to other users at the Project Calico Slack. Asking questions on the  community discourse is a great way to get help with issues you might encounter. You can meet the developers and other community members by joining us for the monthly community meetings. Follow @projectcalico on Twitter for up-to-date information about new blog posts, videos, community meetings, and releases.


If you enjoyed this blog then you may also like:

Chris Hoge

Chris Hoge

Chris is a Developer Advocate for Project Calico. Prior to joining Tigera he was a Technical Program Manager at the OpenStack Foundation, where he helped launch an interoperability program and coordinated cross-community efforts between the OpenStack and Kubernetes communities. He holds an MS in Applied Mathematics from the University of Colorado.

You Might Also Like

What’s new in Calico 3.15

We’re very excited to announce Calico v3.15.0, which includes a bunch of great features including generally available Wireguard encryption, and the ability to migrate Calico’s data storage from etcd to

Read More

Join our mailing list​

Get updates on blog posts, new releases and more!

Thanks for signing up!