Enable CONFIG_WIREGUARD in kernel-mshv for AKS Kata (Pod Sandboxing) nodes #16243
Description
Is your feature request related to a problem? Please describe.
When using AKS with Cilium (BYOCNI) and WireGuard-based transparent encryption (encryption.type: wireguard), adding a KataMshvVmIsolation node pool causes cilium-agent to crash immediately on startup with:
failed to initialize WireGuard agent: WireGuard not supported by the Linux kernel
(netlink: operation not supported). Please upgrade your kernel, or manually install
the kernel module (https://www.wireguard.com/install/)
The cilium-agent DaemonSet runs as a regular runc container on the host (not inside a Kata VM), but the MSHV host kernel (6.6.100.mshv1-3.azl3) has CONFIG_WIREGUARD explicitly disabled in SPECS/kernel-mshv/config, while the standard AzureLinux kernel (SPECS/kernel/config) ships it as a loadable module (CONFIG_WIREGUARD=m).
This makes Kata/Pod Sandboxing nodes completely unusable in clusters that rely on WireGuard encryption, because:
- The cilium-agent enters
CrashLoopBackOff, leaving the node without a functioning CNI - The
node.cilium.io/agent-not-ready:NoScheduletaint is never removed - No pods can be scheduled or get networking on the node
Environment:
- AKS Kubernetes 1.33.6, node image
AKSAzureLinux-V3katagen2-202602.13.5 - Host kernel
6.6.100.mshv1-3.azl3 - Cilium 1.18.6 (BYOCNI via Helm)
- Node pool workload runtime:
KataMshvVmIsolation
Describe the solution you'd like
Enable WireGuard as a loadable kernel module in the MSHV kernel config:
- # CONFIG_WIREGUARD is not set
+ CONFIG_WIREGUARD=mThis would bring the MSHV kernel in line with the standard AzureLinux kernel and allow Cilium (and potentially other WireGuard consumers) to function correctly on Kata/Pod Sandboxing nodes.
Describe alternatives you've considered
| Alternative | Viable? | Notes |
|---|---|---|
| Manually load WireGuard module | No | Module is not compiled; kernel lockdown (integrity) blocks unsigned modules |
Cilium userspace WireGuard fallback (wireguard-go) |
No | Removed in Cilium 1.17 (cilium/cilium#33594) |
| Switch to IPsec encryption | Partial | Applies cluster-wide, different performance characteristics, may also lack kernel support in the MSHV kernel |
| Disable encryption entirely | Partial | Degrades security posture for the entire cluster |
| Exclude Kata nodes from Cilium DaemonSet | No | Nodes would have no CNI at all |
None of these are acceptable long-term solutions for mixed clusters that need both Kata VM isolation and encrypted node-to-node traffic.
Additional context
- WireGuard has been in the mainline Linux kernel since 5.6 and is widely considered stable
- The standard AzureLinux 3 kernel already ships it as a module (
CONFIG_WIREGUARD=m) - Azure's own ACNS (Advanced Container Networking Services) documents WireGuard encryption as a supported feature for AKS, but it cannot work on Pod Sandboxing nodes due to this kernel config gap
- Cilium's Kata Containers documentation does not mention this limitation, likely because it is specific to the MSHV kernel variant