Containerd on a more secure MicroK8s
We have been quiet for a few months just because we have been busy. We were working mainly on two features that we intend to ship in the v1.14 release:
- improved security
- transition to Containerd
The entailed changes will affect the backwards compatibility and user experience of MicroK8s and this is the reason we time them with the upcoming upstream Kubernetes release. Here we will provide a) a short description of these features, b) a way for you to test drive the new MicroK8s, and c) the steps on how to hold back on the release in case this is a major show stopper for you.
The transition to Containerd
We replace Dockerd with Containerd mainly for two reasons.
- The setup of having two dockerd on the same host has proven problematic. MicroK8s brings its own dockerd that may clash with a local dockerd users may want to have. With moving to containerd users can
apt-get install docker.io
without affecting MicroK8s. This switch also means thatmicrok8s.docker
will not be available anymore, you will have to use a docker client shipped with your distribution. - Performance. It is shown that there is a performance benefit from using containerd. This should not be a surprise since dockerd itself uses containerd internally. With the switch to containerd we are essentially removing a layer that is docker specific.
Hardening MicroK8s security
MicroK8s is a developer’s tool. It is not meant to be deployed in production or in hostile environments. Having said that we tried to make MicroK8s more secure by:
- Exposing as few services as we can. Here is a table with what we left open and the access restrictions involved:
- A CA and certificates are created once at deployment time.
Test drive the upcoming patches
We have prepared a temporary branch you could use to evaluate the above changes:
snap install microk8s --classic --channel=1.13/edge/secure-containerd
If you have MicroK8s already installed you can switch the channel your MicroK8s is following:
snap refresh --channel=1.13/edge/secure-containerd microk8s
Try it out and let us know if we missed anything.
“Thanks, I’ll pass”
All release series up until now will not be affected by this change. This means you can have your MicroK8s deployment follow the 1.13 track:
snap refresh --channel=1.13/stable microk8s
Summing up
An important update is coming. Make sure you give it a try with:
snap install microk8s --classic --channel=1.13/edge/secure-containerd
If you do not like what you see tell us what breaks by filing an issue and keep using the 1.13 track.