KubeSpan with 3 node local cluster and a worker node in Hetzner #7378
-
|
My use case is a 3 node cluster in my lab (NUC13s) and one worker node in hetzner. I'm trying not to shoot myself in the foot by needlesslly doing wireguard in my house between nodes that are literally stacked upon eachother. How can I best avoid doing needless wg? I only want to wg to hetzner. If I turn on KubeSpan will all node-to-node comms be over wg, including the local nodes? Should I just pick a separate CIDR and have that run over wg? Would the machine config be the same for local nodes as well as the Hetzner node? (the kubespan config I mean, obviously there will be differences in other areas) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Kubespan will encrypt all node-to-node traffic, regardless of whether it is local node to local node (as it doesn't know what is local.) But, that shouldn't lead to any foot shooting - there is a slight overhead of encrypting the local traffic, but KubeSpan makes it all just work transparently. You can manually set up wireguard to do what you want, but I would just run KubeSpan. |
Beta Was this translation helpful? Give feedback.
-
|
I run rook ceph on the local nodes (which are 10GBe). I'm assuming this will this have a performance impact. Is there really no way of bypassing this? |
Beta Was this translation helpful? Give feedback.
-
|
Well, not with the simplicity of KubeSpan. you can roll your own Wireguard config (which is built into Talos - see https://www.talos.dev/v1.4/talos-guides/network/wireguard-network/) |
Beta Was this translation helpful? Give feedback.
-
|
Cool, thank you so much for clearing up my misconceptions @steverfrancis! |
Beta Was this translation helpful? Give feedback.
Well, not with the simplicity of KubeSpan.
you can roll your own Wireguard config (which is built into Talos - see https://www.talos.dev/v1.4/talos-guides/network/wireguard-network/)
But you will have to set up the config, key exchange etc