1.MD

https://docs.cilium.io/en/stable/security/network/encryption-wireguard/

# k get no

AME             STATUS     ROLES           AGE   VERSION
ip-10-10-1-11    NotReady   <none>          40m   v1.31.0
ip-10-10-1-216   NotReady   control-plane   40m   v1.31.0
ip-10-10-1-77    NotReady   <none>          40m   v1.31.0

ssh to control-plane

# ssh ip-10-10-1-11

# check the kernel version

#  uname -ar


Linux ip-10-10-1-11 6.8.0-1019-aws #21~22.04.1-Ubuntu SMP Thu Nov  7 17:35:43 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

exit

install cilium cli

cilium_url="https://github.com/cilium/cilium-cli/releases/download/vmaster7/cilium-linux-arm64.tar.gz"
curl -Lo cilium.tar.gz $cilium_url
tar -zxvf cilium.tar.gz
sudo mv cilium /usr/local/bin/cilium

cilium install --version 1.16.3    --set encryption.enabled=true    --set encryption.type=wireguard --set debug.enabled=true

# after installation wait node ready status

check node status , and wait Ready status

# k get no

NAME             STATUS   ROLES           AGE   VERSION
ip-10-10-1-11    Ready    <none>          45m   v1.31.0
ip-10-10-1-216   Ready    control-plane   45m   v1.31.0
ip-10-10-1-77    Ready    <none>          45m   v1.31.0

check all cilium config

kubectl -n kube-system exec -ti ds/cilium -- sh -c 'cilium-dbg status'

check the encryption status

kubectl -n kube-system exec -ti ds/cilium -- sh -c 'cilium-dbg status | grep Encryption'

Encryption:                             Wireguard       [NodeEncryption: Disabled, cilium_wg0 (Pubkey: W0xqF1Gj7BNHuT2KCjsuVy08tAANMgHBu3qLtMPBI0Q=, Port: 51871, Peers: 1)]
root@ip-10-10-1-9:/home/ubuntu#

check pods communication

k exec external -n external  --  sh -c 'curl finance.finance:8080'

run tcpdump on the node

ssh ip-10-10-1-11

sudo su


nohup tcpdump -n -i cilium_wg0 > /var/log/pod_dump.log 2>&1 &

cat /var/log/pod_dump.log

16:14:39.293383 IP 10.10.1.83.45495 > 10.10.1.131.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.0.230.34498 > 10.0.2.95.4240: Flags [P.], seq 3070195795:3070195895, ack                                    3036488182, win 483, options [nop,nop,TS val 3768956349 ecr 503479106], length                                    100
16:14:39.293591 IP 10.10.1.131.40933 > 10.10.1.83.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 4
IP 10.0.2.95.4240 > 10.0.0.230.34498: Flags [P.], seq 1:76, ack 100, win 482, op                                   tions [nop,nop,TS val 503508748 ecr 3768956349], length 75
16:14:39.293898 IP 10.10.1.83.45495 > 10.10.1.131.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.0.230.34498 > 10.0.2.95.4240: Flags [.], ack 76, win 483, options [nop,n                                   op,TS val 3768956349 ecr 503508748], length 0
16:14:39.295085 IP 10.10.1.83.55314 > 10.10.1.131.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.0.230 > 10.0.2.95: ICMP echo request, id 2217, seq 44405, length 24
16:14:39.295160 IP 10.10.1.131.47328 > 10.10.1.83.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 4
IP 10.0.2.95 > 10.0.0.230: ICMP echo reply, id 2217, seq 44405, length 24
16:14:39.508619 IP 10.10.1.131.43250 > 10.10.1.253.8472: OTV, flags [I] (0x08),                                    overlay 0, instance 6
IP 10.0.2.37.38182 > 10.0.1.103.4240: Flags [P.], seq 373086012:373086113, ack 2                                   337509887, win 483, options [nop,nop,TS val 1104144581 ecr 3312683942], length 1                                   01
16:14:39.509170 IP 10.10.1.253.57400 > 10.10.1.131.8472: OTV, flags [I] (0x08),                                    overlay 0, instance 4
IP 10.0.1.103.4240 > 10.0.2.37.38182: Flags [P.], seq 1:76, ack 101, win 482, op                                   tions [nop,nop,TS val 3312713808 ecr 1104144581], length 75
16:14:39.509229 IP 10.10.1.131.43250 > 10.10.1.253.8472: OTV, flags [I] (0x08),                                    overlay 0, instance 6
IP 10.0.2.37.38182 > 10.0.1.103.4240: Flags [.], ack 76, win 483, options [nop,n                                   op,TS val 1104144581 ecr 3312713808], length 0
16:14:39.509466 IP 10.10.1.131.53308 > 10.10.1.83.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.2.37.41482 > 10.0.0.202.4240: Flags [P.], seq 4172315665:4172315766, ack                                    4273592999, win 483, options [nop,nop,TS val 2202720512 ecr 2692764476], length                                    101
16:14:39.509846 IP 10.10.1.131.42767 > 10.10.1.253.8472: OTV, flags [I] (0x08),                                    overlay 0, instance 6
IP 10.0.2.37 > 10.0.1.103: ICMP echo request, id 5910, seq 19458, length 24
16:14:39.509904 IP 10.10.1.131.44627 > 10.10.1.83.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.2.37 > 10.0.0.202: ICMP echo request, id 5910, seq 19458, length 24
16:14:39.510379 IP 10.10.1.83.52543 > 10.10.1.131.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 4
IP 10.0.0.202.4240 > 10.0.2.37.41482: Flags [P.], seq 1:76, ack 101, win 482, op                                   tions [nop,nop,TS val 2692794343 ecr 2202720512], length 75
16:14:39.510392 IP 10.10.1.253.53375 > 10.10.1.131.8472: OTV, flags [I] (0x08),                                    overlay 0, instance 4
IP 10.0.1.103 > 10.0.2.37: ICMP echo reply, id 5910, seq 19458, length 24
16:14:39.510436 IP 10.10.1.131.53308 > 10.10.1.83.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 6
IP 10.0.2.37.41482 > 10.0.0.202.4240: Flags [.], ack 76, win 483, options [nop,n                                   op,TS val 2202720513 ecr 2692794343], length 0
16:14:39.510456 IP 10.10.1.83.50505 > 10.10.1.131.8472: OTV, flags [I] (0x08), o                                   verlay 0, instance 4

exit

check communication

k exec external -n external  --  sh -c 'curl finance.finance:8080'