Private networking question

[camflan]

Is k8s internal traffic using private ipv6 networking? I was originally only looking at ipv4 traffic and thought all k8s internal traffic was running over the public interface but now I'm wondering if it's using ipv6. I don't see any ipv6 config in the manifests though 🤔

Either way, as long as the internal traffic is over the private network and is protected by (at least) iptables then I'm satisfied

[kahkhang]

Hmm I'm sorry I haven't really looked into the networking traffic and verified that the api servers are communicating through the private network. It might actually be the case that the nodes are communicating using the public ip, since each of them is using a kubeconfig file with the public ip address. If so, that is a bug that needs fixing. The traffic is TLS secured though, but would probably be better if we can have it communicate over a private network. Also, perhaps using a Calico network overlay instead of flannel (https://www.projectcalico.org/calico-network-policy-comes-to-kubernetes/) might be more convenient than manually configuring iptable routes, since it supports the K8S NetworkPolicy resource (https://kubernetes.io/docs/concepts/services-networking/network-policies/), and K8S automatically configures the necessary underlying network, including iptables. I didn't use this because I wanted to keep the setup simple, but this can possibly be supported with some tweaking and experimentation.

I doubt its using IPv6 networking because the config file is using a IPv4 address (https://github.com/kahkhang/kube-linode/blob/master/install-coreos.sh#L125), but I must admit my knowledge of computer networking is pretty limited so I'm not exactly sure.

I think this issue warrants looking into. I think a general fix would be to replace the public IP address with the private IP address in this line: https://github.com/kahkhang/kube-linode/blob/master/linode-utilities.sh#L321. Unfortunately I'll be rather busy this week so I might not be able to fix this right away.

Thanks!

[orbitalmedia]

I think PeerVPN might be a solution for internal networking - for now I think its great you got this established over Public Networking - great job.

[r4j4h]

PeerVPN seems like it's not maintained anymore, but could be a good solution. A fork of it renamed to MeshVPN and is more up to date but not sure of its state. There is also another mesh-based VPN called tinc which is well maintained but IIRC is working on reducing memory usage still which may be a factor here. Sorry I'm only complicating things 😊

Also, yes, great job putting this all together!! :)

[camflan]

WireGuard works really well for this as well, fwiw

• Camron

On Feb 11, 2018, at 3:42 PM, Jasmine Hegman notifications@github.com wrote:

PeerVPN seems like it's not maintained anymore, but could be a good solution. A fork of it renamed to MeshVPN and is more up to date but not sure of its state. There is also another mesh-based VPN called tinc which is well maintained but IIRC is working on reducing memory usage still which may be a factor here. Sorry I'm only complicating things 😊

Also, yes, great job putting this all together!! :)

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[zllovesuki]

IPSec (StrongSwan) in Transport mode is also a good option. Kernel based VPN is always the most performant. The latest Linode kernel (4.15.13-x86_64-linode106, despite what the UI is actually saying) supports AES-GCM, which is an another order of magnitude faster AEAD cipher to use.