cilium: don't allow remote node identities

The Cilium strict mode has a special mode which loosens the security a slight bit. For compatability this mode is enabled by default. But we don't need it for strict node-to-node encryption. Therefore, we disable it.
2024-10-01 01:36:09 -04:00 · 2023-10-26 00:33:48 +02:00 · 2023-10-26 00:33:48 +02:00 · 1972b635b4
commit 1972b635b4
parent e8840d5fdc
2 changed files with 8 additions and 6 deletions
--- a/cli/internal/helm/overrides.go
+++ b/cli/internal/helm/overrides.go
@ -45,7 +45,6 @@ func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, ou
 	strictMode := map[string]any{}
 	if provider != cloudprovider.QEMU {
 		strictMode = map[string]any{
-			"enabled":      true,
 			"nodeCIDRList": []string{output.IPCidrNode},
 		}
 	}
--- a/cli/internal/helm/values.go
+++ b/cli/internal/helm/values.go
@ -20,8 +20,9 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":     true,
-				"podCIDRList": []string{"10.244.0.0/16"},
+				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
+				"podCIDRList":               []string{"10.244.0.0/16"},
 			},
 		},
 		"l7Proxy": false,
@ -62,8 +63,9 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled":     true,
-				"podCIDRList": []string{"10.244.0.0/16"},
+				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
+				"podCIDRList":               []string{"10.244.0.0/16"},
 			},
 		},
 		"l7Proxy": false,
@ -107,7 +109,8 @@ var ciliumVals = map[string]map[string]any{
 			"type":           "wireguard",
 			"nodeEncryption": true,
 			"strictMode": map[string]any{
-				"enabled": true,
+				"enabled":                   true,
+				"allowRemoteNodeIdentities": false,
 			},
 		},
 		"image": map[string]any{