Full Mesh Encryption in Kubernetes with WireGuard and Calico

The presentation discusses the use of WireGuard and Project Calico to provide full mesh encryption in Kubernetes for compliance and zero-trust security.

• Encrypting data-in-transit is important for compliance and zero-trust security in Kubernetes
• Common encryption options include mutual TLS and IPsec
• Project Calico uses WireGuard for full mesh encryption at a layer below application workloads
• WireGuard is lightweight, fast, scalable, and easy to configure
• Calico's data plane components interact with WireGuard to manage the kernel and networking rules
• The implementation has some gaps and areas for improvement

The top use case for encryption in Kubernetes is compliance, such as PCI or HIPAA. A recent NSA report recommends encrypting data in transit to harden Kubernetes. By default, Kubernetes does not encrypt data in transit, which can make users nervous in a zero-trust environment. Project Calico, which powers about 2 million nodes daily across 166 countries, uses WireGuard for full mesh encryption at a layer below application workloads. WireGuard is popular for its lightweight, fast, scalable, and easy-to-configure features. Calico's data plane components interact with WireGuard to manage the kernel and networking rules. However, the implementation has some gaps and areas for improvement.

Encrypting data-in-transit is an important feature for many Kubernetes users especially for compliance and a zero-trust model. There are several ways this can be achieved, including using WireGuard, an exciting new lightweight VPN in the Linux kernel. This talk explains why you would choose WireGuard for this task and how it can work in a dynamic platform such as Kubernetes using Project Calico to provide a full host-to-host encrypted mesh at a layer below your application workloads. WireGuard is popular for good reason; lightweight, fast, scalable and easy. We’ll show you how easy it is to make it work but also dig in to the implementation details for those who love to sweat the details.Click here to view captioning/translation in the MeetingPlay platform!