Encrypt application pods traffic using calico

i have a question, i need to secure pods traffic in my kubernetes cluster and i see that calico can do it using wireguard, is that wireguard can encrypt pods traffic when they’re just in different worker nodes or it can encrypt traffic pods even if the’re in the same machin (worker node) ?

Our Wireguard feature only encrypts traffic between nodes. The rationale for that is that the node needs to implement security policy so the node needs to see the traffic to do that.

Wireguard (but not Calico) does support a mode where each pod would have its own wireguard device and the traffic wouldn’t be seen on the host. However, I don’t believe that it encrypts traffic between pods on the same host.

“pod-pod traffic on the same node” is all virtual packets in the kernel.

If someone has access to the node and is able to snoop packets on the node, I think you’ve got bigger problems (because they’d have to be root).