Your submission was sent successfully! Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Strictly Confined MicroK8s

This article was last updated 2 years ago.


MicroK8s is now available as a strictly confined snap on 1.25!

snap install microk8s --channel=1.25-strict/stable

What is strict confinement?

In summary, it is a snap confinement level that provides complete isolation, up to a minimal access level that’s always deemed safe. Strictly confined snaps can not access files, networks, processes, or any other system resource without requesting specific access. Strict confinement uses security features of the Linux kernel, including AppArmor, seccomp, and namespaces to prevent applications and services from accessing the wider system.

How does this all work?

Interfaces are the key, which can be thought of as a resource access request. Each snap’s interface is carefully selected by the creator to provide specific access to a resource according to its requirements. An interface needs to be connected to be active, and connections are made either automatically (at install time) or manually, depending on their function. Visit here for a list of supported interfaces. 

What does this mean for MicroK8s?

For example, MicroK8s has interfaces for container runtimes, network rules, etc. which can be seen here. So when a snap is installed, its metadata is examined and used to derive AppArmor profiles, Seccomp filters, and device cgroup rules, alongside traditional permissions. This combination provides a strong application for confinement and isolation for the Kubernetes runtime.

As we all know, Kubernetes is a highly dynamic environment which hosts a lot of applications that are used for a wide variety of solutions. And often times these applications interact with the host machines in a way that can be not so secure. Strict confinement makes sure that this dynamic environment is isolated from the hosts and that applications are doing what they’re supposed to be doing. So any CVEs, malicious actors, bugs, etc. will be limited with this isolation. Although there are caveats to this isolation, for example, some applications require elevated access to critical system resources which might not be granted they are viewed as vulnerabilities.

But fear not, MicroK8s comes with an addon system with verified and tested applications that will work on strict confinement. So most of the general use cases will be covered, and the strictly confined ecosystem will grow over time.

If there are things that don’t run as expected under strict confinement you can try to find what’s causing the problem by using snappy-debug.

snappy-debug.security scanlog

This command will list any AppArmor denials in the currently installed and running snaps and suggests appropriate interfaces and fixes for the issues.

You can also try running the snap in devmode. A devmode snap runs as a strictly confined snap with full access to system resources and produces debug output to identify unspecified interfaces. You need to install the snap with the devmode flag.

snap install microk8s --channel=1.25-strict/stable --devmode

You can report bugs and problems by opening an issue on GitHub.

kubernetes logo

What is Kubernetes?

Kubernetes, or K8s for short, is an open source platform pioneered by Google, which started as a simple container orchestration tool but has grown into a platform for deploying, monitoring and managing apps and services across clouds.

Learn more about Kubernetes ›

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

How should a great K8s distro feel? Try the new Canonical Kubernetes, now in beta

Try the new Canonical Kubernetes beta, our new distribution that combines ZeroOps for small clusters and intelligent automation for larger production...

Canonical Kubernetes 1.29 is now generally available

A new upstream Kubernetes release, 1.29, is generally available, with significant new features and bugfixes. Canonical closely follows upstream development,...

Turbocharge your API and microservice delivery on MicroK8s with Microcks

Give Microcks on MicroK8s a try and experience the benefits of accelerated development cycles and robust testing.