Simple question that I can not find the answer to.
If there is a Rancher setup with 2 Nodes in for example 2 separate Data Centers. And we have an app running on both, loadbalanced with ingress on L7 level (SSL is stripped on ingress)
How is data transferred from ingress to a pod and is it secure between multiple Data Centers?
There are three solutions that come to mind:
Can someone please confirm how rancher is implemented in this aspect.
Based on this thread on Rancher forum
Ingress controller may be on one node and pods can be on another. When using L7 load balancing, SSL is stripped on ingress and traffic is forwarded on a pod without SSL encryption.
Communication between ingress and pods may or may not be tunneled depending on your Rancher configuration for CNI providers (Documentation)
If rancher is setup with Canal then communication between ingress and pods will be tunneled, and so, secure from outside attackers.
However if rancher is setup with Calico it will not be tunneled.
So depending on your setup you may use Canal if your nodes are publicly accessed and someone may sniff your traffic. Or you could use Calico if you have your whole setup on a private network.
Notice
There is a potential security risk that is not mentioned here.
Neither Calico nor Canal may protect you from malicious pods. So if your configuration demands security level where there can be a pod sniffing traffic, you would need to use other needs to secure your infrastructure.