Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable weave network encryption #3734

Closed
edulop91 opened this issue Oct 31, 2017 · 17 comments
Closed

Enable weave network encryption #3734

edulop91 opened this issue Oct 31, 2017 · 17 comments
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@edulop91
Copy link

edulop91 commented Oct 31, 2017
edited
Loading

  1. Describe IN DETAIL the feature/behavior/change you would like to see.

We would like to enable weave's network encryption capabilities for intra cluster communications. This weave feature is documented at

Reading over previous kops issues I see that Feature request: ability to configure weave (#1171) is inconclusive. Any updates on this front? I also see that #2600 merged. Presumably this would not be that different a change.

  1. Feel free to submit an issue documenting a design supporting your feature request.

From the weave documentation looks like we'd only need a password flag in its configuration to enable encryption. Perhaps this could be a boolean config exposed to users. If true, a random key is generated by kops, stored similar kops secrets, and injected into the weave config files. Another alternative is having users provide a key.

Upgrading existing clusters could be problematic/require downtime.

Happy to contribute time towards this feature. Wondering if there's anything else surrounding #1171 or this particular feature development-wise that I should be aware of before doing so.

Thanks!
@chrislovecnm
Copy link
Contributor

A kops secret which is used in the template would be perfect. I think you have a good example to use.

I am open to using a random key as well.

We probably want to store the data in a k8s secrets which is populated in the weave manifest

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2018
@chrislovecnm chrislovecnm added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Feb 8, 2018
@chrislovecnm
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 8, 2018
@chrislovecnm
Copy link
Contributor

Here are the tasks:

  1. create a new secret for weave, either manual secret or automatically
  2. update the API much like this PR add support for changing the weave peer connection limit #4398, with a value for weave encryption

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 9, 2018
@ameena007
Copy link

/reopen

@ameena007
Copy link

This is a required security feature.

@brosander
Copy link
Contributor

This would be really nice to have.

@ApsOps
Copy link
Contributor

ApsOps commented May 21, 2018
edited
Loading

@chrislovecnm Hi. I'm working on this, but I'm not sure how to create a k8s secret from a kops secret. Any pointers?

We probably want to store the data in a k8s secrets which is populated in the weave manifest

Also, do we need to create another secret type for this? Currently I see only these 4 types are available:

  dockerconfig     Create a docker config.
  encryptionconfig Create an encryption config.
  keypair          Create a secret keypair.
  sshpublickey     Create a ssh public key.

@thedarkfalcon
Copy link

thedarkfalcon commented Jun 13, 2018
edited
Loading

Is part of developing a toggle for this to have the status easily visible somewhere? I think I have enabled this feature manually, but the only way I have found to check the weave encryption status is to run weave directly on one of the master/slaves. I thought the whole point of kops is to remove direct access/management of the infrastructure/machines, this would be the first time I have had to access the machines directly.

Edit:
Nevermind, I found how to check the network encryption via kubectl to remotely exec a weave command to dump status to screen. E.g.

$ kubectl exec -n kube-system weave-net-1jkl6 -c weave -- /home/weave/weave --local status

        Version: 2.0.1 (up to date; next check at 2017/07/10 13:49:29)

        Service: router
       Protocol: weave 1..2
           Name: 42:8e:e8:c4:52:1b(host-0)
     Encryption: disabled
  PeerDiscovery: enabled
        Targets: 3
    Connections: 3 (2 established, 1 failed)
          Peers: 3 (with 6 established connections)
 TrustedSubnets: none

        Service: ipam
         Status: ready
          Range: 10.32.0.0/12
  DefaultSubnet: 10.32.0.0/12

@kampka
Copy link
Contributor

kampka commented Jul 18, 2018
edited
Loading

Sorry, I forgot to link this.
This issue was actually fixed in #5441

A word of warning, I have no tried to migrate a production cluster yet and I doubt it will work without downtime.

@thedarkfalcon
Copy link

I don't know why, but my weavenet never seems to come when I enable encryption with a secret I just added. My flow is: create the secret, apply Weaveworks K8s with password-secret
But the pods fail to spin up. If I delete the secret and recreate it, the pods start to spin up and everything functions as expected..

@kampka
Copy link
Contributor

kampka commented Jul 20, 2018

@thedarkfalcon well, that is hard for me to diagnose.
I hope you noticed the warning about creating the secret on an already running, unencrypted cluster?
A weave-kube pod with encryption configured cannot connect to a pod that does not have encryption enabled and vice versa (which is kind of the point of doing this).

@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 19, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@thedarkfalcon
Copy link

Just for anyone else that finds this thread via google. My problem was that the filename of the secret actually seemed to matter. Even though I was giving the secret a name, the file that the secret was being read from seemed to have an affect of the secrets data.

I was initially creating the secret from a Jenkins secret file - which receives a random name when it is exposed to the Jenkins workspace. This secret was then being added to the cluster, however the metadata or something with the Kubernetes secret was wrong due to the input filename.. When I was deleting the secret and manually recreating it, I was using the expected filename.

I troubleshooted all this by being bad and just dumping secrets to screen and saw the discrepancy.

@rifelpet rifelpet added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. and removed good-starter-issue labels Apr 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@chrislovecnm @kampka @brosander @rifelpet @ApsOps @edulop91 @thedarkfalcon @k8s-ci-robot @ameena007 @fejta-bot