Skip to content

Instantly share code, notes, and snippets.

@Cryptophobia
Last active June 14, 2018 20:08
Show Gist options
  • Save Cryptophobia/9e2fa9a932b1da661511951e86e5d9dd to your computer and use it in GitHub Desktop.
Save Cryptophobia/9e2fa9a932b1da661511951e86e5d9dd to your computer and use it in GitHub Desktop.
Encryption on weave-net
From issue: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/699
I've investigated using password encryption with weave. If you've followed the instructions for deploying kubernetes with KOps, the default deployment uses weave. Weave has a capability of employing password encryption. Once activated. The encryption in transit is seamless.
Here are the steps so far
Install Kubernetes with KOps per the z2jh documentation steps.
(optional) run kubectl --namespace kube-system get pods and verify there are weave-net pods
Create a password file. I did openssl rand -hex 128 >weave-passwd
Create a Kubernetes Secret in the kube-system namespace
kubectl create secret -n kube-system generic weave-passwd --from-file=./weave-passwd
Verify the secret kubectl -n kube-system describe secret weave-passwd
This is very important, the secret name (e.g. weave-passwd) and the Data label must be the same. Apparently the Data tag is picked up from the filename in the manner I created the secret. Someone more skilled with Kubernetes could possible genericize and explain this process better. I have seen in the weave documentation others use the --from_literal flag instead of the --from-file flag
Edit the weave-net daemonset. I used kubectl edit --namespace=kube-system daemonset weave-net
Add the following to the spec.template.spec:
- name: WEAVE_PASSWORD
valueFrom:
secretKeyRef:
key: weave-passwd
name: weave-passwd
Here key and name should be the same and should match the name of the Kubernetes Secret
I'm thinking there is a one line kubectl command to accomplish step 5. I could use some help from a more experience Kubernetes person to boil this step down.
7) (optional) run kubectl --namespace kube-system get pods again and verify new pods are created.
That's pretty much in. Then complete the installation of JH via the remainder of the documentatation
To verify it is properly riunning
after a get pods command execute:
kubectl exec -n kube-system weave-net-<pod> -c weave -- /home/weave/weave --local status
You should get something like:
Version: 2.3.0 (up to date; next check at 2018/05/25 22:56:17)
Service: router
Protocol: weave 1..2
Name: 76:ce:c9:79:52:1c(ip-10-2-0-149.us-west-2.compute.internal)
Encryption: enabled
PeerDiscovery: enabled
Targets: 3
Connections: 3 (2 established, 1 failed)
Peers: 3 (with 6 established connections)
TrustedSubnets: none
Service: ipam
Status: ready
Range: 100.96.0.0/11
DefaultSubnet: 100.96.0.0/11
and note the encryption status is enabled
To patch it:
kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]'
The preceeding replaces step 6 above
To remove encryption:
kubectl patch --namespace=kube-system daemonset/weave-net --type json -p '[ { "op": "add", "path": "/spec/template/spec/containers/0/env/0", "value": { "name": "WEAVE_PASSWORD", "valueFrom": { "secretKeyRef": { "key"\ : "weave-passwd", "name": "weave-passwd" } } } } ]'
"Peace of mind" testing can be had by monitoring
tcpdump -A port 6783 on the any node running a JH pod
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment