科技回声

8 条评论

kevin_nisbet大约 6 年前

Author here. Feel free to reach out if you have questions or thoughts about the project.

评论 #19781607 未加载

评论 #19782433 未加载

评论 #19781797 未加载

评论 #19782306 未加载

评论 #19781893 未加载

评论 #19781721 未加载

sloppycee大约 6 年前

Big warning to readers:If Gravitational asks you to complete an 'engineering challenge' they are using you for free labour.See: <a href="https://news.ycombinator.com/item?id=19784787" rel="nofollow">https://news.ycombinator.com/item?id=19784787</a>

评论 #19788121 未加载

fulafel大约 6 年前

> If you’re running Kubernetes in a network you don’t fully trust or need to encrypt all pod network traffic between hosts for legacy applications or compliance reasons, Wormhole might be for youIs there a good analysis somewhere about how typical kubernetes setups trust the network and what badness an advesary could do with kubernetes network access? How sound is this default deployment setup from security POV?For example I think DNS is used internally for service discovery, and incoming TLS is often terminated and proxied onwards as HTTP - those could be both MITMed, right?

OJFord大约 6 年前

I thought I understood this, and that it replaced (and no doubt did a better job of) what I'd already done - WG to get nodes on the same network, CNI on top.But requirement 2 confused me: > A Kubernetes cluster with IPAM enabled (--pod-network-cidr= when using kubeadm based install)So, do node machines need to already be on the same network or not?

评论 #19782683 未加载

leetbulb大约 6 年前

Very cool to see WireGuard being used in a mesh implementation. This reminds me of Weave[0] which has worked well for me. I'll definitely be experimenting with Wormhole.[0] <a href="https://www.weave.works/oss/net/" rel="nofollow">https://www.weave.works/oss/net/</a>

nhoughto大约 6 年前

We were recently discussing creating something like for this, the current set of CNI options is wide but shallow. As mentioned in the article CNI is something you want to be as simple as possible, we’ve had trouble with weave and all it’s complexity. Flannel plus encryption is perfect!

评论 #19784869 未加载

laacz大约 6 年前

Just afraid that time will come, when searching for black hole, neutrinos, gravity will primarily yield these kinds of topics. Not actual ones.

badloginagain大约 6 年前

Doesn't Istio provide inter-pod encryption, or am I totally off the reservation here?

评论 #19782952 未加载

8 条评论

kevin_nisbet大约 6 年前

Author here. Feel free to reach out if you have questions or thoughts about the project.

评论 #19781607 未加载

评论 #19782433 未加载

评论 #19781797 未加载

评论 #19782306 未加载

评论 #19781893 未加载

评论 #19781721 未加载

sloppycee大约 6 年前

评论 #19788121 未加载

fulafel大约 6 年前

OJFord大约 6 年前

评论 #19782683 未加载

leetbulb大约 6 年前

nhoughto大约 6 年前

评论 #19784869 未加载

laacz大约 6 年前

Just afraid that time will come, when searching for black hole, neutrinos, gravity will primarily yield these kinds of topics. Not actual ones.

badloginagain大约 6 年前

Doesn't Istio provide inter-pod encryption, or am I totally off the reservation here?

评论 #19782952 未加载

Gravitational Wormhole: WireGuard for Kubernetes

8 条评论

Gravitational Wormhole: WireGuard for Kubernetes

8 条评论