Your Kubernetes pods are talking to each other in plaintext, and that’s a problem if you’re running sensitive workloads. Cilium can fix this using WireGuard or IPSec, but which one should you pick?
Let’s see Cilium encrypting pod-to-pod traffic with WireGuard.
apiVersion: cilium.io/v1
kind: CiliumNetworkPolicy
metadata:
name: enforce-wireguard-encryption
spec:
endpointSelector: {} # Apply to all pods
egress:
- toEndpoints:
- matchLabels: {} # Apply to all pods
toPorts:
- ports:
- port: "80"
protocol: TCP
- port: "443"
protocol: TCP
- port: "6379"
protocol: TCP
- port: "5432"
protocol: TCP
encryption:
wireguard:
enabled: true
This policy tells Cilium to encrypt traffic destined for any pod on ports 80, 443, 6379, and 5432 using WireGuard. Cilium will automatically manage the keys and establish secure tunnels between the nodes hosting these pods. You don’t need to manually configure anything on the nodes themselves; Cilium handles it all.
The problem Cilium solves here is the insecurity of default pod networking. In a typical Kubernetes cluster, traffic between pods, even across different nodes, travels unencrypted over the network. This means anyone with access to the network infrastructure could potentially snoop on or even tamper with your application data. Cilium’s encryption features provide a robust solution by creating an encrypted overlay network.
Internally, Cilium leverages eBPF to intercept network packets at the kernel level. When you enable encryption, Cilium’s eBPF programs encrypt the packet payload before it leaves the source node and decrypt it upon arrival at the destination node. For WireGuard, Cilium acts as a WireGuard peer manager, automatically generating and distributing public/private keys for each node and establishing secure tunnels. For IPSec, it configures the node’s IPSec stack to encrypt traffic between specific IP addresses (the pod CIDRs).
The key levers you control are the CiliumNetworkPolicy resources. You define which traffic should be encrypted based on endpointSelector (which pods to apply the policy to) and egress or ingress rules specifying destination pods and ports. You choose between wireguard or ipsec within the encryption block.
One thing that often surprises people is that Cilium’s WireGuard implementation doesn’t require a separate WireGuard daemon running on your nodes. Cilium integrates directly with the kernel’s WireGuard module, making it incredibly efficient and easier to manage. It dynamically creates and destroys WireGuard interfaces and tunnels as pods come and go, ensuring that only necessary traffic is encrypted and that the overhead is minimized. You don’t need to pre-provision tunnels or manage complex key distribution infrastructure; Cilium handles all of that automatically based on your network policies.
The next step is to understand how to selectively encrypt traffic, not just for all egress.