etcd traffic not going through the Kilo interface

Question

etcd traffic not going through the Kilo interface

sandah opened this issue 3 years ago · comments

Hi,
I have a cluster (3 master nodes) with an embedded etcd that was set up with K3S and --no-flannel flag.
After installing Kilo with --mesh-granularity=full argument, it's working except the etcd peer communication traffic which is not going through the Kilo tunnel.

Is there a reason why?
What can I do to make it work?

leonnicolas · Answer 1 · Thu Oct 07 2021 01:48:16 GMT+0800 (China Standard Time)

Hi @sandah,
Sorry for the late reply.
Kilo is using the API server for key exchanges, discovery of endpoints, etc. This means the kubernetes control plane has to exist before kilo can start. The control plane needs etcd.

Not sure if it is technically possible to route etcd traffic over the wireguard interface after the installation of kilo. Etcd traffic is encrypted anyways just like the traffic to the api server which is also not routed over the wireguard interface.

sandah · Answer 2 · Sun Oct 10 2021 21:23:27 GMT+0800 (China Standard Time)

Hi
Thanks for the answer,
I didn't test it yet but I think I found a solution to achieve what I want with the help of this thread #120.

Lucas Servén Marín · Answer 3 · Thu Apr 07 2022 22:03:50 GMT+0800 (China Standard Time)

hi @sandah any luck?
You should be able to accomplish this if you modify your etcd endpoints to use the internal IPs of the nodes. This will force the connections to be over the WireGuard link.
Any luck?