Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Berkay Tekin Öz
on 26 August 2022

MicroK8s is now available as a strictly confined snap on 1.25!

snap install microk8s --channel=1.25-strict/stable

What is strict confinement?

In summary, it is a snap confinement level that provides complete isolation, up to a minimal access level that’s always deemed safe. Strictly confined snaps can not access files, networks, processes, or any other system resource without requesting specific access. Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp, and namespaces to prevent applications and services from accessing the wider system.

How does this all work?

Interfaces are the key, which can be thought of as a resource access request. Each snap’s interface is carefully selected by the creator to provide specific access to a resource according to its requirements. An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. Visit here for a list of supported interfaces. 

What does this mean for MicroK8s?

For example, MicroK8s has interfaces for container runtimes, network rules, etc. which can be seen here. So when a snap is installed, its metadata is examined and used to derive AppArmor profiles, Seccomp filters, and device cgroup rules, alongside traditional permissions. This combination provides a strong application for confinement and isolation for the Kubernetes runtime.

As we all know, Kubernetes is a highly dynamic environment which hosts a lot of applications that are used for a wide variety of solutions. And often times these applications interact with the host machines in a way that can be not so secure. Strict confinement makes sure that this dynamic environment is isolated from the hosts and that applications are doing what they’re supposed to be doing. So any CVEs, malicious actors, bugs, etc. will be limited with this isolation. Although there are caveats to this isolation, for example, some applications require elevated access to critical system resources which might not be granted they are viewed as vulnerabilities.

But fear not, MicroK8s comes with an addon system with verified and tested applications that will work on strict confinement. So most of the general use cases will be covered, and the strictly confined ecosystem will grow over time.

If there are things that don’t run as expected under strict confinement you can try to find what’s causing the problem by using snappy-debug. scanlog

This command will list any AppArmor denials in the currently installed and running snaps and suggests appropriate interfaces and fixes for the issues.

You can also try running the snap in devmode. A devmode snap runs as a strictly confined snap with full access to system resources and produces debug output to identify unspecified interfaces. You need to install the snap with the devmode flag.

snap install microk8s --channel=1.25-strict/stable --devmode

You can report bugs and problems by opening an issue on GitHub.

Related posts

Marcin "Perk" Stożek
14 March 2024

How should a great K8s distro feel? Try the new Canonical Kubernetes, now in beta

Kubernetes Article

Try the new Canonical Kubernetes beta, our new distribution that combines ZeroOps for small clusters and intelligent automation for larger production environments that also want to benefit from the latest community innovations ...

Marcin "Perk" Stożek
14 December 2023

Canonical Kubernetes 1.29 is now generally available

Kubernetes Article

A new upstream Kubernetes release, 1.29, is generally available, with significant new features and bugfixes. Canonical closely follows upstream development, harmonising our releases to deliver timely and up-to-date enhancements backed by our commitment to security and support – which means that MicroK8s 1.29 is now generally available as ...

Michael C. Jaeger
9 November 2023

Turbocharge your API and microservice delivery on MicroK8s with Microcks

Ubuntu Article

Give Microcks on MicroK8s a try and experience the benefits of accelerated development cycles and robust testing. ...