Cleartext Transmission of Sensitive Information

Summary

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In versions 1.14.0-pre.2 through 1.14.7, 1.15.0-pre.0 through 1.15.1, and 1.16.0-pre.0 In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies Wireguard-eligible traffic that is sent between a node's Envoy proxy and pods on other nodes is sent unencrypted and Wireguard-eligible traffic that is sent between a node's DNS proxy and pods on other nodes is sent unencrypted. This issue has been resolved in Cilium native routing mode ("routingMode=native") and Cilium tunneling mode ("routingMode=tunnel"). Not that in tunneling mode, "encryption.wireguard.encapsulate" must be set to "true". There is no known workaround for this issue.