IBM Cloud Docs
Encrypting worker-to-worker traffic with WireGuard

Encrypting worker-to-worker traffic with WireGuard

Classic infrastructure Virtual Private Cloud

You can encrypt data that flows between worker nodes in your cluster by using WireGuard.

  • Note that this feature only encrypts traffic between worker nodes on the same cluster and does not encrypt traffic between different pods on the same worker node.
  • Worker-to-worker encryption with WireGuard is supported on Kubernetes Service clusters with workers that run Ubuntu 20 or later.
  • WireGuard is not supported on workers that have user-installed encryption modules on them.
  • WireGuard is not FIPS or FedRamp compliant.
  • You cannot alter the WireGuard configuration after it is enabled. However, you can disable it.

For more information on this configuration setting, see Enable WireGuard for a cluster in the Calico documentation.

Enabling WireGuard encryption

  1. Run the following command to enable WireGuard for worker-to-worker traffic.

    kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":true}}'

    Example output

    felixconfiguration.crd.projectcalico.org/default patched

  2. Verify your setup by reviewing the felixconfiguration. In the output, find the WireGuard section and verify that wireguardEnabled: true.

    kubectl get felixconfiguration default -o yaml

    Example output

    apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
  annotations:
    created-by: IBMCloudKubernetesService
    projectcalico.org/metadata: '{"uid":"8a21b69b-9ffb-451d-9619-0dd1605810dc","creationTimestamp":"2023-09-13T14:00:15Z"}'
  creationTimestamp: "2023-09-13T14:00:15Z"
  generation: 2
  name: default
  resourceVersion: "24839234"
  uid: ff0c79f3-5548-4db4-a22f-2f367282631d
spec:
  bpfLogLevel: ""
  floatingIPs: Disabled
  logSeverityScreen: Info
  natPortRange: 32768:65535
  reportingInterval: 0s
  wireguardEnabled: true

Disabling WireGuard encryption

If you no longer need worker-to-worker encryption in your cluster, you can disable WireGuard.

  1. Run the following command to disable WireGuard.

    kubectl patch felixconfiguration default --type='merge' -p '{"spec":{"wireguardEnabled":false}}'

    Example output

    felixconfiguration.crd.projectcalico.org/default patched

  2. Verify WireGuard is disabled.

    kubectl get felixconfiguration default -o yaml

    Example output

    apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
  annotations:
    created-by: IBMCloudKubernetesService
    projectcalico.org/metadata: '{"uid":"8a21b69b-9ffb-451d-9619-0dd1605810dc","creationTimestamp":"2023-09-13T14:00:15Z"}'
  creationTimestamp: "2023-09-13T14:00:15Z"
  generation: 3
  name: default
  resourceVersion: "24839453"
  uid: ff0c79f3-5548-4db4-a22f-2f367282631d
spec:
  bpfLogLevel: ""
  floatingIPs: Disabled
  logSeverityScreen: Info
  natPortRange: 32768:65535
  reportingInterval: 0s
  wireguardEnabled: false