How to configure Kubernetes to encrypt the traffic between nodes, and pods?

Question

In preparation for HIPAA compliance, we are transitioning our Kubernetes cluster to use secure endpoints across the fleet (between all pods). Since the cluster is composed of about 8-10 services currently using HTTP connections, it would be super useful to have this taken care of by Kubernetes.

The specific attack vector we'd like to address with this is packet sniffing between nodes (physical servers).

This question breaks down into two parts:

• Does Kubernetes encrypts the traffic between pods & nodes by default?
• If not, is there a way to configure it such?

Many thanks!

Answer 1

Actually the correct answer is "it depends". I would split the cluster into 2 separate networks.

1. Control Plane Network

   This network is that of the physical network or the underlay network in other words.

   k8s control-plane elements - kube-apiserver, kube-controller-manager, kube-scheduler, kube-proxy, kubelet - talk to each other in various ways. Except for a few endpoints (eg. metrics), it is possible to configure encryption on all endpoints.

   If you're also pentesting, then kubelet authn/authz should be switched on too. Otherwise, the encryption doesn't prevent unauthorized access to the kubelet. This endpoint (at port 10250) can be hijacked with ease.

2. Cluster Network

   The cluster network is the one used by the Pods, which is also referred to as the overlay network. Encryption is left to the 3rd-party overlay plugin to implement, failing which, the app has to implement.

   The Weave overlay supports encryption. The service mesh linkerd that @lukas-eichler suggested can also achieve this, but on a different networking layer.

Answer 2

Does Kubernetes encrypts the traffic between pods & nodes by default?

Kubernetes does not encrypt any traffic.

There are servicemeshes like linkerd that allow you to easily introduce https communication between your http service.

You would run a instance of the service mesh on each node and all services would talk to the service mesh. The communication inside the service mesh would be encrypted.

Example:

your service -http-> localhost to servicemesh node - https-> remoteNode -http-> localhost to remote service.

When you run the service mesh node in the same pod as your service the localhost communication would run on a private virtual network device that no other pod can access.

Answer 3

The replies here seem to be outdated. As of 2021-04-28 at least the following components seem to be able to provide an encrypted networking layer to Kubernetes:

• Istio
• Weave
• linkerd
• cilium
• Calico (via Wireguard)

(the list above was gained via consultation of the respective projects home pages)

Answer 4

No, kubernetes does not encrypt traffic by default

I haven't personally tried it, but the description on the Calico software defined network seems oriented toward what you are describing, with the additional benefit of already being kubernetes friendly

I thought that Calico did native encryption, but based on this GitHub issue it seems they recommend using a solution like IPSEC to encrypt just like you would a traditional host