Security¶
This page provides an overview of various aspects of security to be considered when operating a cluster with Canonical Kubernetes. To consider security properly, this means not just aspects of Kubernetes itself, but also how and where it is installed and operated.
A lot of important aspects of security therefore lie outside the direct scope of Canonical Kubernetes, but links for further reading are provided.
Security of the snap/executable¶
As detailed in the snap documentation, an application installed from a snap is inherently more secure than a traditionally installed application. Snap-based applications are installed into a sandboxed, self contained environment which restricts its ability to interact with the rest of user space.
Security of the OCI images¶
Canonical Kubernetes relies on OCI standard images published as rocks to
deliver the services which run and facilitate the operation of the Kubernetes
cluster. The use of Rockcraft and rocks gives Canonical a way to maintain and
patch images to remove vulnerabilities at their source, which is fundamental to
our commitment to a sustainable Long Term Support(LTS) release of Kubernetes
and overcoming the issues of stale images with known vulnerabilities. For more
information on how these images are maintained and published, see the
Rockcraft documentation.
Kubernetes Security¶
The Kubernetes cluster deployed by Canonical Kubernetes can be secured using any of the methods and options described by the upstream Kubernetes Security Documentation.
Canonical Kubernetes enables RBAC (Rules Based Access Control) by default.
Cloud security¶
If you are deploying Canonical Kubernetes on public or private cloud instances, anyone with credentials to the cloud where it is deployed may also have access to your cluster. Describing the security mechanisms of these clouds is out of the scope of this documentation, but you may find the following links useful.
Amazon Web Services https://aws.amazon.com/security/
Google Cloud Platform https://cloud.google.com/security/
Metal As A Service(MAAS) https://maas.io/docs/snap/3.0/ui/hardening-your-maas-installation
Microsoft Azure https://docs.microsoft.com/en-us/azure/security/azure-security
VMWare VSphere https://www.vmware.com/security/hardening-guides.html
Security Compliance¶
As with previously released Kubernetes software from Canonical, we aim to satisfy the needs of various security compliance standards. This is a process that will take some time however. Please watch out for future announcements and check the roadmap for current areas of work.