adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: clarify BoringTun

Browse Source 
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit is contained in:
Lucas Servén Marín 2021-05-11 15:11:25 +02:00
parent e232af1073
commit 1d26921710
No known key found for this signature in database
GPG Key ID: 586FEAF680DA74AD
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
docs/userspace-wireguard.md
View File

@ -6,13 +6,16 @@ This can make sense in cases where
* not all nodes in a cluster have WireGuard installed; or
* nodes are effectively immutable and kernel modules cannot be installed.
One example of a userspace implementation of WireGuard is [BoringTun].
## Homogeneous Clusters
In a homogeneous cluster where no node has the WireGuard kernel module, a userspace WireGuard implementation can be made available by deploying a DaemonSet.
This DaemonSet creates a WireGuard interface that Kilo will manage.
In order to avoid race conditions, `kg` needs to be passed the `--create-interface=false` flag.
An example configuration for a k3s cluster with [boringtun](https://github.com/cloudflare/boringtun) can be applied with:
__Note:__ in order to avoid race conditions, `kg` needs to be passed the `--create-interface=false` flag.
An example configuration for a K3s cluster with [BoringTun] can be applied with:
```shell
kubectl apply -f https://raw.githubusercontent.com/squat/kilo/main/manifests/kilo-k3s-userspace.yaml
@ -23,7 +26,7 @@ __Note:__ even if some nodes have the WireGuard kernel module, this configuratio
## Heterogeneous Clusters
In a heterogeneous cluster where some nodes are missing the WireGuard kernel module, a userspace WireGuard implementation can be provided only to the nodes that need it while enabling the other nodes to leverage WireGuard via the kernel module.
An example of such a configuration for a k3s cluster can by applied with:
An example of such a configuration for a K3s cluster can by applied with:
```shell
kubectl apply -f https://raw.githubusercontent.com/squat/kilo/main/manifests/kilo-k3s-userspace-heterogeneous.yaml
@ -32,6 +35,8 @@ kubectl apply -f https://raw.githubusercontent.com/squat/kilo/main/manifests/kil
This configuration will deploy [nkml](https://github.com/leonnicolas/nkml) as a DaemonSet to label all nodes according to the presence of the WireGuard kernel module.
It will also create two different DaemonSets with Kilo:
1. `kilo` without userspace WireGuard; and
1. `kilo-userspace` with boringtun as a sidecar.
1. `kilo-userspace` with [BoringTun] as a sidecar.
__Note:__ because Kilo is dependant on nkml, nkml must be run on the host network before CNI is available and requires a kubeconfig in order to access the Kubernetes API.
[BoringTun]: https://github.com/cloudflare/boringtun