Secure BGP sessions

Big picture

Use BGP passwords to prevent attackers from injecting false routing information.

Value

Setting a password on a BGP peering between BGP speakers means that a peering will only work when both ends of the peering have the same password. This provides a layer of defense against an attacker impersonating an external BGP peer or a workload in the cluster, for example in order to inject malicious routing information into the cluster.

Features

This how-to guide uses the following Calico features:

  • BGPPeer with password field

Concepts

Password protection on BGP sessions

Password protection is a standardized optional feature of BGP sessions. The effect is that the two peers at either end of a BGP session can only communicate, and exchange routing information, if they are both configured with the same password.

Please note that password use does not cause the data exchange to be encrypted. It remains relatively easy to eavesdrop on the data exchange, but not to inject false information.

Using Kubernetes secrets to store passwords

In Kubernetes, the Secret resource is designed for holding sensitive information, including passwords. Therefore, for this Calico feature, we use Secrets to store BGP passwords.

How to

To use a password on a BGP peering:

  1. Create (or update) a Kubernetes secret in the namespace where calico-node is running, so that it has a key whose value is the desired password. Note the secret name and the key name.

    Secure BGP sessions - 图1note

    BGP passwords must be 80 characters or fewer. If a password longer than that is configured, the BGP sessions with that password will fail to be established.

  2. Ensure that calico-node has RBAC permissions to access that secret.

  3. Specify the secret and key name on the relevant BGPPeer resource.

Create or update Kubernetes secret

For example:

  1. kubectl create -f - <<EOF
  2. apiVersion: v1
  3. kind: Secret
  4. metadata:
  5. name: bgp-secrets
  6. namespace: calico-system
  7. type: Opaque
  8. stringData:
  9. rr-password: very-secret
  10. EOF

Secure BGP sessions - 图2note

If calico-node in your cluster is running in a namespace other than calico-system, you should create the secret in that namespace instead of in calico-system.

To use this password below in a BGPPeer resource, you need to note the secret name bgp-secrets and key name rr-password.

Ensure RBAC permissions

The calico-node pod must have permission to access that secret. To allow calico-node to access that secret, you would configure:

  1. kubectl create -f - <<EOF
  2. apiVersion: rbac.authorization.k8s.io/v1
  3. kind: Role
  4. metadata:
  5. name: secret-access
  6. namespace: calico-system
  7. rules:
  8. - apiGroups: [""]
  9. resources: ["secrets"]
  10. resourceNames: ["bgp-secrets"]
  11. verbs: ["watch", "list", "get"]
  12. ---
  13. apiVersion: rbac.authorization.k8s.io/v1
  14. kind: RoleBinding
  15. metadata:
  16. name: secret-access
  17. namespace: calico-system
  18. roleRef:
  19. apiGroup: rbac.authorization.k8s.io
  20. kind: Role
  21. name: secret-access
  22. subjects:
  23. - kind: ServiceAccount
  24. name: calico-node
  25. namespace: calico-system
  26. EOF

Specify secret and key name on the BGP resource

The BGP password can be specified on separate resources depending on the use case. Specify the password on the BGP peer in order to secure specific BGP peerings or specify the password in the BGP configuration in order to set the password for all intra cluster communications in a node to node mesh.

  • Specific or external peerings
  • Node to node mesh

When configuring a BGP peer, include the secret and key name in the specification of the BGPPeer resource, like this:

  1. apiVersion: projectcalico.org/v3
  2. kind: BGPPeer
  3. metadata:
  4. name: bgppeer-global-3040
  5. spec:
  6. peerIP: 192.20.30.40
  7. asNumber: 64567
  8. password:
  9. secretKeyRef:
  10. name: bgp-secrets
  11. key: rr-password

Include the secret in the default BGP configuration similar to the following:

  1. kind: BGPConfiguration
  2. apiVersion: projectcalico.org/v3
  3. metadata:
  4. name: default
  5. spec:
  6. logSeverityScreen: Info
  7. nodeToNodeMeshEnabled: true
  8. nodeMeshPassword:
  9. secretKeyRef:
  10. name: bgp-secrets
  11. key: rr-password

Secure BGP sessions - 图3note

Node to node mesh must be enabled in order to set node to node mesh BGP password.

Above and beyond

For more detail about the BGPPeer resource, see BGPPeer.

For more on configuring BGP peers, see configuring BGP peers.