Live Migration of Instances
For the Live Migration of Instances the source and target libvirtd process need to communicate with each other. This communication is secured using a ssh tunnel between the source and the target node. However the communication between the qemu processes is unencrypted and it is used for the actual state transfer.
The ssh tunnel is authenticated using ssh-keys on the respective source. The key is generated by the operator during the deployment of the compute node and is placed in a secret. The respective public-key is placed in a authorized_keys file in a general configmap by the operator.
The source is the respective libvirtd container and it’s respective ssh-key is mounted to /root/.ssh.
The target is the respective nova-compute pod with its nova-compute-ssh container. The container is running sshd and is getting the authorized_keys mounted to /root/.ssh/authorized_keys/authorizedkeys (which is then updated automatically by kubernetes).