Configure encryption and authentication to secure Calico components
Connections from Calico components to etcd
- Operator
- Manifest
Operator based installations do not required communication to etcd, and so this section does not apply.
If you are using the etcd datastore, we recommend enabling mutual TLS authentication on its connections as follows.
Configure etcd to encrypt its communications with TLS and require clients to present certificates signed by the etcd certificate authority.
Configure each Calico component to verify the etcd server’s identity and to present a certificate to the etcd server that is signed by the etcd certificate authority.
- calico/node
- calicoctl
- CNI plugin (Kubernetes and OpenShift only)
- Kubernetes controllers (Kubernetes and OpenShift only)
- Felix
- Typha (often deployed in larger Kubernetes deployments)
- Neutron plugin or ML2 driver (OpenStack only)
- DHCP agent (OpenStack only)
Connections from Calico components to kube-apiserver (Kubernetes and OpenShift)
We recommend enabling TLS on kube-apiserver, as well as the client certificate and JSON web token (JWT) authentication modules. This ensures that all of its communications with Calico components occur over TLS. The Calico components present either an X.509 certificate or a JWT to kube-apiserver so that kube-apiserver can verify their identities.
Connections from Felix to Typha (Kubernetes)
- Operator
- Manifest
Operator based installations automatically configure mutual TLS authentication on connections from Felix to Typha.
We recommend enabling mutual TLS authentication on connections from Felix to Typha. To do so, you must provision Typha with a server certificate and Felix with a client certificate. Each service will need the private key associated with their certificate. In addition, you must configure one of the following.
SPIFFE identifiers (recommended): Generate a SPIFFE identifier for Felix, set
ClientURISAN
on Typha to Felix’s SPIFFE ID, and include Felix’s SPIFFE ID in theURI SAN
field of its certificate. Similarly, generate a SPIFFE identifier for Typha, setTyphaURISAN
on Felix to Typha’s SPIFFE ID, and include Typha’s SPIFFE ID in theURI SAN
field of its certificate.Common Name identifiers: Configure
ClientCN
on Typha to the value in theCommon Name
of Felix’s certificate. ConfigureClientCN
on Felix to the value in theCommon Name
of Typha’s certificate.
tip
If you are migrating from Common Name to SPIFFE identifiers, you can set both values. If either matches, the communication succeeds.
Here is an example of how you can secure the Felix-Typha communications in your cluster:
Choose a certificate authority, or set up your own.
Obtain or generate the following leaf certificates, signed by that authority, and corresponding keys:
A certificate for each Felix with Common Name
typha-client
and extended key usageClientAuth
.A certificate for each Typha with Common Name
typha-server
and extended key usageServerAuth
.
Configure each Typha with:
CAFile
pointing to the certificate authority certificateServerCertFile
pointing to that Typha’s certificateServerKeyFile
pointing to that Typha’s keyClientCN
set totypha-client
ClientURISAN
unset.
Configure each Felix with:
TyphaCAFile
pointing to the Certificate Authority certificateTyphaCertFile
pointing to that Felix’s certificateTyphaKeyFile
pointing to that Felix’s keyTyphaCN
set totypha-server
TyphaURISAN
unset.
For a SPIFFE-compliant deployment you can follow the same procedure as above, except:
Choose SPIFFE Identities to represent Felix and Typha.
When generating leaf certificates for Felix and Typha, put the relevant SPIFFE Identity in the certificate as a URI SAN.
Leave
ClientCN
andTyphaCN
unset.Set Typha’s
ClientURISAN
parameter to the SPIFFE Identity for Felix that you use in each Felix certificate.Set Felix’s
TyphaURISAN
parameter to the SPIFFE Identity for Typha.
For detailed reference information on these parameters, refer to: