https://johanneskueber.com/tags/wireguard/Recent content in Wireguard on johanneskueber.comHugoen_USMon, 25 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-25-netbird-routing-peer/Mon, 25 May 2026 00:00:00 +0000https://johanneskueber.com/posts/2026-05-25-netbird-routing-peer/<p>This article documents how to run a NetBird client <em>inside</em> a Kubernetes cluster as a <strong>routing peer</strong> — rootless, with an in-memory state volume, a shell-based readiness probe, and dropped capabilities — so that remote mesh members can reach cluster-internal services over the encrypted overlay, without exposing kernel WireGuard and without making the cluster a peer of every workload.</p> <hr> <h2 id="1-why-a-netbird-peer-in-the-cluster">1. Why a NetBird peer in the cluster</h2> <p>NetBird is a WireGuard-based identity mesh. Each peer holds keys, exchanges them via the management plane, and routes encrypted traffic to other peers. The default deployment runs the client on a host (Linux VM, MacBook, etc.) and uses the host&rsquo;s kernel WireGuard.</p>