Sign in Subscribe
1 min read

Encrypt Internal Traffic in k3s with Cilium and WireGuard

Encrypt Internal Traffic in k3s with Cilium and WireGuard

Introduction

Securing internal traffic in Kubernetes is crucial, especially in multi-node clusters where data flows between pods. This guide walks you through setting up k3s with Cilium and WireGuard to encrypt pod-to-pod communication.

1. Setting Up k3s

We’ll install k3s while disabling Flannel (default CNI) so that we can use Cilium.

1.1. Install k3s Without Flannel

Run the following command on your node:

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--flannel-backend=none --disable-network-policy" sh -

This:

  • Disables Flannel (--flannel-backend=none)
  • Disables default network policies (--disable-network-policy)

Verify k3s is running:

kubectl get nodes

2. Deploy Cilium with WireGuard

Cilium will replace Flannel as the networking layer and encrypt traffic using WireGuard.

2.1. Install Helm & Add Cilium Repo

Ensure Helm is installed, then add the Cilium repository:

export KUBECONFIG=~/.kube/kubeconfig.yaml <your kubeconfig>
helm repo add cilium https://helm.cilium.io
helm repo update

2.2. Install Cilium with WireGuard

Deploy Cilium with WireGuard enabled:

helm install cilium cilium/cilium \
  --namespace kube-system \
  --set encryption.enabled=true \
  --set encryption.type=wireguard \
  --set k8sServiceHost=$(hostname -I | awk '{print $1}') \
  --set k8sServicePort=6443

This:

  • Enables encryption (encryption.enabled=true)
  • Uses WireGuard (encryption.type=wireguard)
  • Connects to k3s API (needed for kube-proxy replacement)

Verify installation:

kubectl get pods -n kube-system

3. Testing Encryption

Once Cilium is installed, we’ll deploy a simple application and test the encryption.

3.1. Deploy a Test Application

kubectl create deployment nginx --image=nginx
kubectl expose deployment nginx --port=80

Check if the pod is running:

kubectl get pods -o wide

3.2. Verify WireGuard Encryption

Check if WireGuard tunnels are created:

ip link show | grep wg

Monitor traffic:

kubectl -n kube-system exec -it ds/cilium -- cilium monitor

You should see encrypted packets instead of plaintext HTTP traffic.

Conclusion

By integrating Cilium with WireGuard, you’ve secured internal Kubernetes traffic with minimal effort. This setup ensures that even if someone gains access to your network, they won’t be able to see plaintext data moving between pods.

Published by:

Member discussion