Your submission was sent successfully! Close

  1. Blog
  2. Article

Berkay Tekin Öz
on 26 August 2022


MicroK8s is now available as a strictly confined snap on 1.25!

snap install microk8s --channel=1.25-strict/stable

What is strict confinement?

In summary, it is a snap confinement level that provides complete isolation, up to a minimal access level that’s always deemed safe. Strictly confined snaps can not access files, networks, processes, or any other system resource without requesting specific access. Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp, and namespaces to prevent applications and services from accessing the wider system.

How does this all work?

Interfaces are the key, which can be thought of as a resource access request. Each snap’s interface is carefully selected by the creator to provide specific access to a resource according to its requirements. An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. Visit here for a list of supported interfaces. 

What does this mean for MicroK8s?

For example, MicroK8s has interfaces for container runtimes, network rules, etc. which can be seen here. So when a snap is installed, its metadata is examined and used to derive AppArmor profiles, Seccomp filters, and device cgroup rules, alongside traditional permissions. This combination provides a strong application for confinement and isolation for the Kubernetes runtime.

As we all know, Kubernetes is a highly dynamic environment which hosts a lot of applications that are used for a wide variety of solutions. And often times these applications interact with the host machines in a way that can be not so secure. Strict confinement makes sure that this dynamic environment is isolated from the hosts and that applications are doing what they’re supposed to be doing. So any CVEs, malicious actors, bugs, etc. will be limited with this isolation. Although there are caveats to this isolation, for example, some applications require elevated access to critical system resources which might not be granted they are viewed as vulnerabilities.

But fear not, MicroK8s comes with an addon system with verified and tested applications that will work on strict confinement. So most of the general use cases will be covered, and the strictly confined ecosystem will grow over time.

If there are things that don’t run as expected under strict confinement you can try to find what’s causing the problem by using snappy-debug.

snappy-debug.security scanlog

This command will list any AppArmor denials in the currently installed and running snaps and suggests appropriate interfaces and fixes for the issues.

You can also try running the snap in devmode. A devmode snap runs as a strictly confined snap with full access to system resources and produces debug output to identify unspecified interfaces. You need to install the snap with the devmode flag.

snap install microk8s --channel=1.25-strict/stable --devmode

You can report bugs and problems by opening an issue on GitHub.

Related posts


Michael C. Jaeger
9 November 2023

Turbocharge your API and microservice delivery on MicroK8s with Microcks

Ubuntu Article

Give Microcks on MicroK8s a try and experience the benefits of accelerated development cycles and robust testing. ...


Canonical
18 May 2023

Kubernetes로 5G의 잠재력 활용하기

Cloud and server Kubernetes

5세대 무선 기술인 5G는 우리가 연결하고 소통하는 방식을 변화하고 있습니다. 4G보다 최대 100배 빠른 데이터 전송 속도를 제공하는 5G 기술은 더 빠른 다운로드 및 업로드 시간, 낮은 latency 그리고 더 많은 기기의 연결이 가능합니다. 추가로 5G 네트워크는 고대역 및 저대역을 포함하는 더 넓은 주파수 범위를 지원하여 더 넓은 커버리지와 더 우수한 안정성을 보장합니다. 5G는 모바일 ...


Yalton Ruiz
24 March 2023

MicroK8s is now on AWS marketplace

Kubernetes Article

MicroK8s is now on AWS marketplace Everyone knows that MicroK8s is an extremely lightweight, extensible, reliable, CNCF-compliant distribution of Kubernetes. What you didn’t know until now is that it is even easier to install and manage as part of your AWS marketplace experience. First, a quick reminder of why MicroK8s is great: CNCF conf ...