adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs/userspace-wireguard.md: add details

Browse Source 
This commit clarifies a few lines from the userspace doc and notes in
the README that Kilo works with userspace WireGuard.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit is contained in:
Lucas Servén Marín 2021-01-07 13:43:46 +01:00
parent f6f0b8c791
commit e7855825cf
No known key found for this signature in database
GPG Key ID: 586FEAF680DA74AD
2 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -28,13 +28,15 @@ This means that if a cluster uses, for example, Flannel for networking, Kilo can
Kilo can be installed on any Kubernetes cluster either pre- or post-bring-up. Kilo can be installed on any Kubernetes cluster either pre- or post-bring-up.
### Step 1: install WireGuard ### Step 1: get WireGuard
Kilo requires the WireGuard kernel module to be loaded on all nodes in the cluster. Kilo requires the WireGuard kernel module to be loaded on all nodes in the cluster.
Starting at Linux 5.6, the kernel includes WireGuard in-tree; Linux distributions with older kernels will need to install WireGuard. Starting at Linux 5.6, the kernel includes WireGuard in-tree; Linux distributions with older kernels will need to install WireGuard.
For most Linux distributions, this can be done using the system package manager. For most Linux distributions, this can be done using the system package manager.
[See the WireGuard website for up-to-date instructions for installing WireGuard](https://www.wireguard.com/install/). [See the WireGuard website for up-to-date instructions for installing WireGuard](https://www.wireguard.com/install/).
Clusters with nodes on which the WireGuard kernel module cannot be installed can use Kilo by leveraging a [userspace WireGuard implementation](./docs/userspace-wireguard.md).
### Step 2: open WireGuard port ### Step 2: open WireGuard port
The nodes in the mesh will require an open UDP port in order to communicate. The nodes in the mesh will require an open UDP port in order to communicate.

29
docs/userspace-wireguard.md
View File

@ -1,33 +1,34 @@
# Userspace WireGuard # Userspace WireGuard
It is possible to use a userspace implementation of WireGuard with Kilo. It is possible to use a userspace implementation of WireGuard with Kilo.
This can make sense if This can make sense in cases where
* not all nodes in the cluster have WireGuard installed * not all nodes in a cluster have WireGuard installed; or
* no one wants to install the DKMS WireGuard package on these nodes * nodes are effectively immutable and kernel modules cannot be installed.
## Homogeneous Cluster ## Homogeneous Clusters
With a homogeneous cluster (no node has the WireGuard kernel module), you can run a userspace WireGuard implementation as a DaemonSet. In a homogeneous cluster where no node has the WireGuard kernel module, a userspace WireGuard implementation can be made available by deploying a DaemonSet.
This will create a WireGuard interface and Kilo will configure it. This DaemonSet creates a WireGuard interface that Kilo will manage.
In order to avoid a race condition, `kg` needs to be passed the `--create-interface=false` flag. In order to avoid race conditions, `kg` needs to be passed the `--create-interface=false` flag.
An example configuration for a k3s cluster with [boringtun](https://github.com/cloudflare/boringtun) can be applied with An example configuration for a k3s cluster with [boringtun](https://github.com/cloudflare/boringtun) can be applied with:
```shell ```shell
kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace.yaml kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace.yaml
``` ```
__Note:__ even if some nodes have the WireGuard kernel module, this will still use the userspace implementation of WireGuard. __Note:__ even if some nodes have the WireGuard kernel module, this configuration will cause all nodes to use the userspace implementation of WireGuard.
## Heterogeneous Cluster ## Heterogeneous Clusters
If you have a heterogeneous cluster (some nodes are missing the WireGuard kernel module) and you wish to use the kernel module, if available, you can apply this configuration to a k3s cluster: In a heterogeneous cluster where some nodes are missing the WireGuard kernel module, a userspace WireGuard implementation can be provided only to the nodes that need it while enabling the other nodes to leverage WireGuard via the kernel module.
An example of such a configuration for a k3s cluster can by applied with:
```shell ```shell
kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace-heterogeneous.yaml kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace-heterogeneous.yaml
``` ```
This config will apply [nkml](https://github.com/leonnicolas/nkml) as a DaemonSet to label all nodes according to the presence of the WireGuard kernel module. This configuration will deploy [nkml](https://github.com/leonnicolas/nkml) as a DaemonSet to label all nodes according to the presence of the WireGuard kernel module.
It will apply two different DaemonSets with Kilo: `kilo` without userspace WireGuard and `kilo-userspace` with boringtun as a sidecar. It will also create two different DaemonSets with Kilo: `kilo` without userspace WireGuard and `kilo-userspace` with boringtun as a sidecar.
Because Kilo is dependant on nkml, it needs to run on the host network and needs a kubeconfig to be able to update the labels. __Note:__ because Kilo is dependant on nkml, nkml must be run on the host network before CNI is available and requires a kubeconfig in order to access the Kubernetes API.