• Logo
    Canonical Kubernetes
  • ubuntu.com/kubernetes
  • More resources
    • Discourse
    • GitHub
Contents Menu Expand Light mode Dark mode Auto light/dark, in light mode Auto light/dark, in dark mode Skip to content
Canonical Kubernetes
  • Canonical Kubernetes documentation
  • What is Canonical Kubernetes?
  • Deploy from Snap package
    • Overview
    • Tutorials
      • Overview
      • Getting started
      • Basic operations with kubectl
      • Add and remove nodes
    • How-to guides
      • Overview
      • Install
        • ... from a snap
        • ... with a custom bootstrap configuration
        • ... with Multipass
        • ... in LXD
        • ... in air-gapped environments
        • ... in development environments
        • ... with custom worker configuration
        • ... in FIPS mode
        • ... a DISA STIG hardened cluster
        • Uninstall the snap
      • Networking
        • Use default DNS
        • Use default network
        • Use default Ingress
        • Use default load balancer
        • Use default gateway
        • Use an alternative CNI
        • Enable Dual-Stack networking
        • Set up an IPv6-only cluster
        • Configure proxy settings
        • Configure firewall
      • Storage
        • Use default storage
        • Use Ceph storage
        • Use cloud storage
      • Use an external datastore
      • Security
        • Hardening guide
        • CIS assessment
        • Report a security issue
        • Refresh external certificates
        • Refresh Kubernetes certificates
        • Use intermediate CAs with Vault
      • Manage upgrades
      • Manage images
      • Back up and restore
      • Set up cluster observability
      • Recover a cluster after quorum loss
      • Troubleshooting
      • Get support
      • Set up Enhanced Platform Awareness
      • Contribute
    • Explanation
      • Overview
      • Architecture
      • Choose an installation method
      • Clustering
      • Channels
      • High availability
      • Upgrades
      • Package management with Helm
      • Enhanced Platform Awareness
      • Node roles
      • Networking
      • Security
    • Reference
      • Overview
      • Etcd database
      • Dqlite database
      • Commands
      • Configuration files
        • Bootstrap
        • Worker node join
        • Control plane node join
        • DISA STIG
        • Refresh certificates
      • Security
      • Cluster certificates and configuration directories
      • DISA STIG audit
      • CIS audit
      • Annotations
      • Proxy environment variables
      • Services and ports
      • Troubleshooting
      • Inspection reports
  • Deploy with Juju
    • Overview
    • Tutorials
      • Overview
      • Getting started
      • Basic Canonical Kubernetes charm operations
    • How-to guides
      • Overview
      • Install
        • ... from a charm
        • ... in LXD
        • ... with Terraform
        • ... with a custom configuration
        • ... with custom worker configuration
      • Configure the cluster
      • Integrate with OpenStack
      • Integrate with etcd
      • Integrate with ceph-csi
      • Configure proxy settings
      • Upgrade minor version
      • Upgrade patch version
      • Configure a custom registry
      • Troubleshoot
      • Validate the cluster
      • Set up cluster observability
      • Report a security issue
      • Harden the cluster
      • Contribute
    • Explanation
      • Overview
      • Architecture
      • Choose an installation method
      • Channels
      • Networking
      • Upgrades
      • Security
    • Reference
      • Overview
      • Charms
      • Configuration options
      • Actions
      • Availability Zones
      • Ports and services
      • Proxy environment variables
      • Security
      • Troubleshooting
  • Deploy with Cluster API
    • Overview
    • Tutorials
      • Overview
      • Getting started
    • How-to guides
      • Overview
      • Provision a Canonical Kubernetes cluster
      • Install custom Canonical Kubernetes
      • Use custom bootstrap configuration
      • Upgrade the Kubernetes version
      • Perform an in-place upgrade
      • Upgrade the providers of a management cluster
      • Refresh workload cluster certificates
      • Use intermediate CAs with Vault
      • Use external etcd
      • Migrate the management cluster
      • Troubleshooting
    • Explanation
      • Overview
      • Cluster API and Canonical Kubernetes
      • Choose an installation method
      • Networking
      • In-place upgrades
      • Security
    • Reference
      • Overview
      • Annotations
      • Providers configurations
      • Ports and services
  • Community
  • Release notes
    • Snap release notes
      • 1.32 LTS
      • 1.33
      • 1.34
      • 1.35
      • Upgrade notes
    • Charm release notes
      • 1.32
      • 1.33
      • 1.34
      • 1.35
      • Upgrade minor revision
      • Upgrade patch revision
Back to top
Contribute to this page

SecurityΒΆ

Administrators are provided with detailed instructions and compliance guidance to harden their clusters in accordance with DISA STIG and CIS recommendations.

  • Hardening guide
  • CIS assessment
  • Report a security issue
  • Refresh external certificates
  • Refresh Kubernetes certificates
  • Use intermediate CAs with Vault
Copyright © 2026 CC-BY-SA, Canonical Group Ltd
Last updated on Oct 20, 2025
Manage your tracker settings
Ask a question on Discourse
Ask a question on Slack
Open a GitHub issue for this page
Edit this page on GitHub
Contents
  • Security