First of all, I am excited to share that I've officially become a Kubestronaut (2 weeks ago, read it here). Among the five Kubernetes certifications, the CKS (Certified Kubernetes Security Specialist) was by far the toughest. In fact, I missed passing on my first attempt by just 2% (read it here). That experience inspired me to create the CKS Handbook, which is now in its 2nd Edition, updated to reflect the latest changes to the CKS curriculum.

With the Oct 2024 CKS exam program changes, implementing Pod-to-Pod encryption using Cilium is now a key topic under the Minimizing Micro-services Vulnerability domain. In this blog, we'll explore Cilium and everything you need to know about Cilium traffic encryption for the exam.

Getting to know Cilium

Cilium is an open-source, cloud-native solution providing networking, security, and observability for cloud-native environments such as Kubernetes clusters.

Cilium's core is built upon the revolutionary Linux kernel technology called eBPF which allows the dynamic insertion of control logic into the Linux kernel. Cilium offers many powerful features, but for the CKS exam, the focus is on Cilium's transparent encryption capability.

Understanding Cilium Architecture

Cilium's architecture comprises four key components:

1. The agent (cilium-agent) runs as a pod on each node in the Kubernetes cluster as a DaemonSet. The agent manages the eBPF programs which the Linux Kernel uses to control all network access in/out of those containers.

2. The client (cilium-dbg) is a command-line tool bundled with the Cilium agent. It interacts with the Cilium agent API on the same node for inspecting the state and status of the local agent.

3. The operator is responsible for cluster-wide Cilium operations, and there should only be one active operator per cluster. For high availability, the Cilium operator uses Kubernetes leader election library.

4. The CNI plugin (cilium-cni) is invoked by Kubernetes when a pod is scheduled or terminated on a node. The plugin interacts with the Cilium agent to configure networking, load-balancing, and network policies for the pod.

What you need to know

The CKS exam requires that you know how to implement pod-to-pod traffic encryption using Cilium. In Cilium terms, this feature is called transparent encryption and there are two options to encrypt traffic: IPSec and WireGuard. Both of these are VPN technology that enables secure communication between pods across different nodes in a Kubernetes cluster.

By default, Kubernetes doesn't natively offer encryption of data in transit as such this feature is essential for several reasons:

1. Compliance requirements: Many regulatory frameworks, such as PCI and HIPAA, mandate the encryption of data in transit.

2. Security: Encryption prevents man-in-the-middle (MITM) attacks, ensuring that sensitive information remains confidential as it travels across potentially unsecured networks.

Verify Encryption Status

You can verify the encryption status of Cilium deployment using cilium CLI from any of the running Cilium agents using the following command.

kubectl -n kube-system exec -it ds/cilium -- cilium encrypt status

In the default Cilium deployment, the output will show:

Encryption: Disabled

Pod-to-Pod Encryption via IPSec

Step 1. First, we need to generate a random Pre-Shared Key (PSK)

dd if=/dev/urandom count=20 bs=1 2>/dev/null | xxd -p -c 64

Step 2. We need to store this as a Kubernetes secret. Cilium will use this secret and mount it as a volume in the cilium-agent Pods.

kubectl create -n kube-system secret generic cilium-ipsec-keys --from-literal=keys="3+ rfc4106(gcm(aes)) $PSK 128"

Step 3. Install Cilium and configure IPsec encryption.

cilium install --encryption ipsec

Step 4. Verify that IPSec encryption is active. The output should show "Encryption: IPSec" and IPSec key details.

Encryption: IPsec
Keys in use: 1
Max Seq. Number: 0x0/0xffffffff
Errors: 0

Pod-to-Pod Encryption via WireGuard

Unlike IPsec, WireGuard automates encryption key pair generation and rotation, so there's no need to create an encryption key.

Step 1. Install Cilium and configure WireGuard encryption.

cilium install --encryption wireguard

Step 2. Verify that WireGuard encryption is active. The output should show "Encryption: Wireguard" and WireGuard interface details.

Encryption: Wireguard
Interface: cilium_wg0
        Public key: nw2/evMwulhWhb3yij0J6T6ET9cPypExeUM5rKyKGHs=
        Number of peers: 3

Conclusion

I hope this guide has provided valuable insights to help you prepare for the CKS exam. For more detailed guidance, consider exploring my CKS Handbook which provides detailed step-by-step guidance on:

• Configuring Pod-to-Pod encryption with IPsec and WireGuard.

• Navigating other CKS domain topics effectively.

The updated second edition is designed to align with the latest exam curriculum.

📕 Grab your copy of the CKS Handbook - 2nd Edition today with discount code ENCRYPT25 to get 25% off as a thank-you for readers of this article - Puru