Your submission was sent successfully! Close

Jump to main content

Strictly Confined MicroK8s

MicroK8s is now available as a strictly confined snap on 1.25!

snap install microk8s --channel=1.25-strict/stable

What is strict confinement?

In summary, it is a snap confinement level that provides complete isolation, up to a minimal access level that’s always deemed safe. Strictly confined snaps can not access files, networks, processes, or any other system resource without requesting specific access. Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp, and namespaces to prevent applications and services from accessing the wider system.

How does this all work?

Interfaces are the key, which can be thought of as a resource access request. Each snap’s interface is carefully selected by the creator to provide specific access to a resource according to its requirements. An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. Visit here for a list of supported interfaces. 

What does this mean for MicroK8s?

For example, MicroK8s has interfaces for container runtimes, network rules, etc. which can be seen here. So when a snap is installed, its metadata is examined and used to derive AppArmor profiles, Seccomp filters, and device cgroup rules, alongside traditional permissions. This combination provides a strong application for confinement and isolation for the Kubernetes runtime.

As we all know, Kubernetes is a highly dynamic environment which hosts a lot of applications that are used for a wide variety of solutions. And often times these applications interact with the host machines in a way that can be not so secure. Strict confinement makes sure that this dynamic environment is isolated from the hosts and that applications are doing what they’re supposed to be doing. So any CVEs, malicious actors, bugs, etc. will be limited with this isolation. Although there are caveats to this isolation, for example, some applications require elevated access to critical system resources which might not be granted they are viewed as vulnerabilities.

But fear not, MicroK8s comes with an addon system with verified and tested applications that will work on strict confinement. So most of the general use cases will be covered, and the strictly confined ecosystem will grow over time.

If there are things that don’t run as expected under strict confinement you can try to find what’s causing the problem by using snappy-debug.

snappy-debug.security scanlog

This command will list any AppArmor denials in the currently installed and running snaps and suggests appropriate interfaces and fixes for the issues.

You can also try running the snap in devmode. A devmode snap runs as a strictly confined snap with full access to system resources and produces debug output to identify unspecified interfaces. You need to install the snap with the devmode flag.

snap install microk8s --channel=1.25-strict/stable --devmode

You can report bugs and problems by opening an issue on GitHub.

Newsletter signup

Select topics you're
interested in

In submitting this form, I confirm that I have read and agree to Canonical's Privacy Notice and Privacy Policy.

Related posts

Kubernetes로 5G의 잠재력 활용하기

5세대 무선 기술인 5G는 우리가 연결하고 소통하는 방식을 변화하고 있습니다. 4G보다 최대 100배 빠른 데이터 전송 속도를 제공하는 5G 기술은 더 빠른 다운로드 및 업로드 시간, 낮은 latency 그리고 더 많은 기기의 연결이 가능합니다. 추가로 5G 네트워크는 고대역 및...

MicroK8s is now on AWS marketplace

MicroK8s is now on AWS marketplace Everyone knows that MicroK8s is an extremely lightweight, extensible, reliable, CNCF-compliant distribution of Kubernetes....

Harnessing the potential of 5G with Kubernetes

Harnessing the potential of 5G with Kubernetes 5G is the fifth generation of wireless technology which is transforming the way we connect and communicate....