Extend your VPN from your Kubernetes Cluster to your isolated Edge Devices

To support their business, most companies need to engage with partners and customers outside of their traditional IT perimeter, extending into the cloud or the edge. This creates increased operational complexity and exposes companies to more cyber threats. One way to mitigate this complexity is by using containerized solutions, which help scale, deploy, and update applications more easily. However, extending beyond the traditional IT perimeter also means dealing with different environments and container management tools.

Let’s consider two typical but very different environments (in terms of hardware, operations, ownership, accessibility, etc.) that companies may use in the cloud or at the edge: a virtual machine (VM) and a small edge gateway. It is quite common to run Kubernetes clusters on top of VMs, but small edge gateways are typically limited to simpler container tools, such as Docker or Podman.

At CYSEC SA, we offer a family of hardened, Linux-based microdistributions designed to host containerized applications, enabling the implementation of distributed architectures. For example, our customers in sectors such as healthcare or drones can securely and centrally manage fleets of edge devices. One challenge they often face when mixing Kubernetes clusters with Docker/Podman isolated nodes is setting up a secure communication channel between these different types of nodes. This is essential to ensure the secure and transparent management of their entire fleet.

To address this challenge, we proposed a solution based on establishing VPN tunnels between all nodes. The implementation of VPN tunnels between Kubernetes nodes can be handled relatively easily at the Kubernetes distribution level. However, setting up VPN tunnels between cluster nodes and isolated nodes is a bit more complex. Our preferred VPN solution is WireGuard. To securely connect the isolated nodes to the Kubernetes cluster, we recommend deploying a WireGuard server within the Kubernetes cluster itself. This allows the server to benefit from the reliability and robustness that Kubernetes provides.

Our solution architecture for setting up the WireGuard server and establishing VPN tunnels between the Kubernetes cluster and isolated nodes is outlined in the following document :