PR for implementation

[webvictim]

No description provided.

[eldios]

@webvictim would you be able to also add libvirt as a provider, please?
Many of us tend to stick to that as opposed to use virtualbox, nowadays.
Thanks

[webvictim]

@eldios Sure - I'm just testing out the changes as I've had to use a different base image for libvirt. It's also hard to make libvirt work on a Mac so I've had to set it up on a Linux machine. I should be able to commit the updated code shortly.

[eldios]

thanks.

[webvictim]

@eldios The Vagrantfile should work with libvirt now.

[eldios]

In the exercise specification it was not specified to use a different node as a master.
We're interested in knowing your ideas in going down this path.

[webvictim]

Yeah, this was more of an oversight than a deliberate decision. I've changed it now so that there are three nodes total and the master runes on the first node.

[eldios]

Why are you not using IPSEC for the master node?

[webvictim]

I am now!

[knisbet]

Hey Gus,

I've been doing some testing, and I found a sort of interesting issue. It looks to me like pod-to-pod traffic is bypassing the ipsec tunnels.

If you look at ipsec statusall the tunnel counters are all 0's.

   mesh-left[1]: ESTABLISHED 34 minutes ago, 192.168.64.10[192.168.64.10]...192.168.64.20[192.168.64.20]
   mesh-left[1]: IKEv2 SPIs: dd0ac2baaba214eb_i* 994afed63b77ec51_r, pre-shared key reauthentication in 16 minutes
   mesh-left[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   mesh-left{7}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cb1b31ac_i cd327d66_o
   mesh-left{7}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 7 minutes
   mesh-left{7}:   10.128.1.0/24 === 10.128.2.0/24

The way I'm testing, is just using docker exec to ping a pod IP on another host:

docker exec -it 0027bfa14374 ping 10.128.3.2
PING 10.128.3.2 (10.128.3.2): 56 data bytes
64 bytes from 10.128.3.2: icmp_seq=0 ttl=62 time=0.557 ms
64 bytes from 10.128.3.2: icmp_seq=1 ttl=62 time=0.590 ms
64 bytes from 10.128.3.2: icmp_seq=2 ttl=62 time=0.620 ms
64 bytes from 10.128.3.2: icmp_seq=3 ttl=62 time=0.483 ms
64 bytes from 10.128.3.2: icmp_seq=4 ttl=62 time=0.844 ms
^C--- 10.128.3.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.483/0.619/0.844/0.121 ms

Also, tcpdump appears to pick up the traffic in the clear

root@kube-node1:~# tcpdump -vni eth1 icmp
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
08:51:59.261402 IP (tos 0x0, ttl 63, id 647, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.64.10 > 10.128.3.2: ICMP echo request, id 48, seq 98, length 64
08:51:59.261952 IP (tos 0x0, ttl 63, id 45133, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.3.2 > 192.168.64.10: ICMP echo reply, id 48, seq 98, length 64
08:52:00.263974 IP (tos 0x0, ttl 63, id 731, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.64.10 > 10.128.3.2: ICMP echo request, id 48, seq 99, length 64
08:52:00.264661 IP (tos 0x0, ttl 63, id 45161, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.3.2 > 192.168.64.10: ICMP echo reply, id 48, seq 99, length 64
08:52:01.265630 IP (tos 0x0, ttl 63, id 914, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.64.10 > 10.128.3.2: ICMP echo request, id 48, seq 100, length 64
08:52:01.266334 IP (tos 0x0, ttl 63, id 45381, offset 0, flags [none], proto ICMP (1), length 84)
    10.128.3.2 > 192.168.64.10: ICMP echo reply, id 48, seq 100, length 64

Cheers,

[webvictim]

@knisbet Thanks for the feedback and the detail. I've switched over to using proper routed IPSEC now with tunnels and marking the traffic explicitly as you suggested. My testing seems to show that this has fixed the issue and all the traffic is now being properly encrypted - the counters increase and I see ESP packets on the wire rather than clear ICMP.

[eldios]

@webvictim I still don't get why you're not using the VPN for all the kubernetes requests while you still address the 192.168.64.10:6443 directly.
Is there any specific reason? Do you think it's better to route traffic to the API server through the VPN or it's better to keep it outside of it? Could you explain your answer?
Thanks

[webvictim]

@eldios There are a couple of reasons I guess:

• The project description doesn't explicitly say that API communication between nodes and master must be encrypted, it just covers pod-to-pod communications so I guess it's open to interpretation
• API traffic between Kubernetes master and nodes is (AFAIK) already encrypted anyway so it didn't seem completely necessary to send it over the tunnels

With that said, we're not verifying the master's CA hash here so in theory a MITM attack would be possible. To counter this, we could modify the bootstrapping process to scrape the CA hash when it's output by kubeadm, pass it to the nodes somehow and verify it when they join. I didn't do this because it seemed a bit unreliable and messy - there's an open issue against kubeadm to provide a way to do this properly (kubernetes/kubeadm#659)

I think I also thought that it'd be much tougher to get Kubernetes to establish a cluster over the tunnels but actually, I just did it and it was really simple...

In terms of what I think would be better, on reflection it's probably better to just put everything inside the IPSEC tunnels as they could potentially be in a situation where the master isn't on the same network as the nodes, isn't routable or maybe the network isn't trusted.

What do you think?

[eldios]

I also think that it's cleaner to put everything inside IPSEC but the fact that the communication is encrypted via HTTPs makes it less mandatory.
You're answer is more or less what I expected 👍

[webvictim]

I've added a commit to send all Kubernetes communication over the IPSEC tunnels now as it's tidier.