Activate weave encryption option for Kubernetes

[awh]

From @nkratzke on October 14, 2016 9:25

It is great to activate Weave as an overlay network in Kubernetes just with one line.

kubectl apply -f https://git.io/weave-kube

However, I wonder whether it is possible to activate the weave encryption option in Kubernetes in this setting?

Is it possible? What must be done?

Copied from original issue: weaveworks/weave-kube#38

[awh]

From @bboreham on October 14, 2016 15:59

Weave Net encryption needs a shared secret (which we name the "password"). Presumably one would want to use Kubernetes Secrets

Then one would modify the DaemonSet yaml to set the environment variable WEAVE_PASSWORD from this secret.

I haven't tried this yet.

[awh]

From @bboreham on October 14, 2016 16:46

OK, I tried it; it seemed to work.

First create a file called weave-passwd with the secret password in it. Then

$ kubectl create secret -n kube-system generic weave-passwd --from-file=./weave-passwd

Then modify the weave-kube daemonset as follows:

$ diff -c weave-daemonset.yaml weave-daemonset-password.yaml 
*** weave-daemonset.yaml    2016-10-17 11:16:31.723082390 +0000
--- weave-daemonset-password.yaml   2016-10-17 11:18:48.770925435 +0000
***************
*** 32,37 ****
--- 32,43 ----
                host: 127.0.0.1
                path: /status
                port: 6784
+           env:
+             - name: WEAVE_PASSWORD
+               valueFrom:
+                 secretKeyRef:
+                   name: weave-passwd
+                   key: weave-passwd
            securityContext:
              privileged: true
            volumeMounts:

[awh]

From @nkratzke on October 17, 2016 11:40

Would it be possible to post a small code/config snippet? Thank you very much.

Nane

Bryan Boreham notifications@github.com schrieb am Fr., 14. Okt. 2016 um 18:46 Uhr:

OK, I tried it; it seemed to work.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/weaveworks/weave-kube/issues/38#issuecomment-253855874, or mute the thread https://github.com/notifications/unsubscribe-auth/ABDZ_dOWilUsI70ZiMwGZL9D9i0S15LJks5qz7HegaJpZM4KWzw6 .

[awh]

From @bboreham on October 17, 2016 11:45

Sure; see https://github.com/weaveworks/weave-kube/issues/38#issuecomment-253855874

[awh]

From @nkratzke on October 19, 2016 12:17

I checked it. Worked! Maybe you should provide this as a standard option. And from my point of view: Weave should communicate the encryption feature more offensive. I think weave is the only overlay network solution with integrated encryption (as far as I know).

However, this issue can be closed I think.

[awh]

From @totolitoto on October 26, 2016 1:5

Tried it and the procedure is fine but I am not sure this actually encrypts the traffics between the nodes tcpdump still show all data in clear Any suggestions welcome

[awh]

From @bboreham on October 26, 2016 6:30

@totolitoto how exactly did you do the tcpdump?

[awh]

From @bboreham on October 26, 2016 6:32

@totolitoto also could you check the logs of the weave container and see what it says about encryption. Maybe the configuration didn't work.

[awh]

From @totolitoto on October 26, 2016 12:25

Thanks bboreham I used tcpdump to inspect the traffic on the host outside the container and sniffed on the weave network interface like so So anything on the weave i/f to port 80 - that is where I have traffic flowing in and out ... tcpdump -nneS -A -i weave port 80

and I can see clear traffic text over the wire

I will also check my logs

[awh]

Hi @totolitoto - the traffic is decrypted by the router before it hits the weave interface - this is why @bboreham asked exactly how you were doing the tcpdump. Packets between containers are only encrypted when they are travelling between weave peers - they get encapsulated in an encrypted UDP packet on port 6783.

[awh]

From @totolitoto on October 26, 2016 12:38

ok @awh and @bboreham thanks for the clarification - makes sense.

[awh]

From @totolitoto on November 1, 2016 13:4

I actually have a follow-up question here ... What I am really interested in achieving is a fully encrypted communication in the data plane hence, is there a way to not have the router dencrypt/re-encrypt when travelling between weave peers?

Thanks in advance

[awh]

From @bboreham on November 1, 2016 13:17

@totolitoto perhaps some confusion here: Weave Net only encrypts between peers; it decrypts when the data needs to be delivered to container interfaces. This maintains encryption on the wire without needing to alter the software sending or receiving the data.

Weave Net does not try to protect against someone with elevated privilege on the local machine who can sniff packets being delivered.

[bboreham]

Can I clarify what we expect to do for this issue? Is is a matter of documenting the solution, or do we propose solving via the "launch generator", or what?

[fetmar]

@bboreham I'm new to weave. Am I correct in understanding that in this case a peer is a node in a kubernetes cluster? And that the encryption happens between nodes but once the data gets to a node, it's decrypted and then sent to the service/pod decrypted?

[bboreham]

@fetmar that's right: we encrypt on the wire but not on the host.

[steebchen]

So is there any way to verify that the encryption is working? Can eth0 be inspected to find out?

[bboreham]

@steebchen you could inspect traffic on the external network interface of your host(s), yes. Weave Net data goes over UDP port 6784 (or 6783 in 'sleeve' mode).

Whether they are called eth0 depends on your Linux set-up.

[steebchen]

Thanks. I see traffic on port 6783 when making requests to my services. All packets look like this:

13:58:14.653032 IP static.xxx.clients.your-server.de.6783 > static.xxx.clients.your-server.de.6783: UDP, length 66
    0x0000:  4500 005e 3658 4000 4011 e2dc 9f45 9288  E..^6X@.@....E..
    0x0010:  9f45 5047 1a7f 1a7f 004a 0000 fa6c 5315  .EPG.....J...lS.
    0x0020:  3619 8000 0000 0001 645f e836 8064 dffa  6.......d_.6.d..
    0x0030:  1656 96c9 0714 d2ab c547 0181 6e74 696e  .V.......G..ntin
    0x0040:  beff 2261 ea3f d04f 3db0 3c31 5ef7 a9a2  .."a.?.O=.<1^...
    0x0050:  6ba9 f052 a266 1e3b ac4c d189 ea4b       k..R.f.;.L...K

I guess that means the encryption works as I can't see anything looking like http headers or other plain text content in all packets which were displayed. Thanks!