# Security This page provides an overview of various aspects of security to be considered when operating a cluster with **{{product}}**. To consider security properly, this means not just aspects of Kubernetes itself, but also how and where it is installed and operated. A lot of important aspects of security therefore lie outside the direct scope of **{{product}}**, but links for further reading are provided. ## Security of the snap/executable As detailed in the [snap documentation][], an application installed from a snap is inherently more secure than a traditionally installed application. Snap-based applications are installed into a sandboxed, self contained environment which restricts its ability to interact with the rest of user space. ## Security of the OCI images **{{product}}** relies on OCI standard images published as `rocks` to deliver the services which run and facilitate the operation of the Kubernetes cluster. The use of Rockcraft and `rocks` gives Canonical a way to maintain and patch images to remove vulnerabilities at their source, which is fundamental to our commitment to a sustainable Long Term Support(LTS) release of Kubernetes and overcoming the issues of stale images with known vulnerabilities. For more information on how these images are maintained and published, see the [Rockcraft documentation][rocks-security]. ## Kubernetes Security The Kubernetes cluster deployed by {{product}} can be secured using any of the methods and options described by the upstream [Kubernetes Security Documentation][]. {{product}} enables RBAC (Rules Based Access Control) by default. ## Cloud security If you are deploying **{{product}}** on public or private cloud instances, anyone with credentials to the cloud where it is deployed may also have access to your cluster. Describing the security mechanisms of these clouds is out of the scope of this documentation, but you may find the following links useful. - Amazon Web Services - Google Cloud Platform - Metal As A Service(MAAS) - Microsoft Azure - VMWare VSphere ## Security Compliance As with previously released Kubernetes software from Canonical, we aim to satisfy the needs of various security compliance standards. This is a process that will take some time however. Please watch out for future announcements and check the [roadmap][] for current areas of work. [Kubernetes Security documentation]: https://kubernetes.io/docs/concepts/security/overview/ [snap documentation]: https://snapcraft.io/docs/security-sandboxing [rocks-security]: https://canonical-rockcraft.readthedocs-hosted.com/en/latest/explanation/rockcraft/ [roadmap]: ../reference/roadmap