Strictly Confined MicroK8s

MicroK8s is now available as a strictly confined snap on 1.25!

snap install microk8s --channel=1.25-strict/stable

What is strict confinement?

In summary, it is a snap confinement level that provides complete isolation, up to a minimal access level that’s always deemed safe. Strictly confined snaps can not access files, networks, processes, or any other system resource without requesting specific access. Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp, and namespaces to prevent applications and services from accessing the wider system.

How does this all work?

Interfaces are the key, which can be thought of as a resource access request. Each snap’s interface is carefully selected by the creator to provide specific access to a resource according to its requirements. An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. Visit here for a list of supported interfaces. 

What does this mean for MicroK8s?

For example, MicroK8s has interfaces for container runtimes, network rules, etc. which can be seen here. So when a snap is installed, its metadata is examined and used to derive AppArmor profiles, Seccomp filters, and device cgroup rules, alongside traditional permissions. This combination provides a strong application for confinement and isolation for the Kubernetes runtime.

As we all know, Kubernetes is a highly dynamic environment which hosts a lot of applications that are used for a wide variety of solutions. And often times these applications interact with the host machines in a way that can be not so secure. Strict confinement makes sure that this dynamic environment is isolated from the hosts and that applications are doing what they’re supposed to be doing. So any CVEs, malicious actors, bugs, etc. will be limited with this isolation. Although there are caveats to this isolation, for example, some applications require elevated access to critical system resources which might not be granted they are viewed as vulnerabilities.

But fear not, MicroK8s comes with an addon system with verified and tested applications that will work on strict confinement. So most of the general use cases will be covered, and the strictly confined ecosystem will grow over time.

If there are things that don’t run as expected under strict confinement you can try to find what’s causing the problem by using snappy-debug.

snappy-debug.security scanlog

This command will list any AppArmor denials in the currently installed and running snaps and suggests appropriate interfaces and fixes for the issues.

You can also try running the snap in devmode. A devmode snap runs as a strictly confined snap with full access to system resources and produces debug output to identify unspecified interfaces. You need to install the snap with the devmode flag.

snap install microk8s --channel=1.25-strict/stable --devmode

You can report bugs and problems by opening an issue on GitHub.