Security Concepts
RKE cluster
An NKE cluster is based on a Rancher Kubernetes Engine 2 (RKE2) cluster. RKE2 is a CNCF certified Kubernetes distribution which eases the installation and update of the whole Kubernetes cluster.
Flatcar OS
Nine uses Flatcar OS as the underlying Linux operating system on each cluster node.
From the FAQ of Flatcar OS:
The OS image shipped by Flatcar Container Linux includes just the minimal
amount of tools to run container workloads. This means that the attack surface
is significantly reduced. On top of this, as the OS image is immutable (/usr is
a read-only partition and there’s no package manager to install packages),
which means there’s less chance of both accidental and intentional breakage.
Regular OS upgrades
Nine provides periodic upgrades of new operating system images on NKE cluster nodes. These upgrades are automatically rolled out in staged phases on all NKE clusters in a specified maintenance window.
Cilium CNI
Nine uses cilium as the networking provider in NKE clusters. Cilium supports Kubernetes NetworkPolicy resources to secure inbound and outbound network traffic.
OIDC authentication
Nine provides central authentication for managed applications. Services, like Grafana, Argo CD or the Kubernetes API server itself, are secured via OIDC. Besides a central management for user access, this also allows for 2FA authentication to be set up.
Node firewall
NKE cluster nodes do have a public reachable IP assigned per default. Nine restricts access to certain services running on the nodes of a NKE cluster. This includes SSH access, which is only permitted via special VPN servers managed by nine.
RBAC
Nine provides default cluster wide RBAC roles which can be assigned to users or service accounts. The following table lists them:
| Name | Description |
|---|---|
| admin | specifies admin permissions to a cluster, meaning that the subject will be able to create, update and delete all namespaces and all resources contained in these namespaces. Access to certain namespaces cannot be revoked. |
| viewer | specifies viewer permissions to a cluster, meaning that the user will be able to view all resources on the cluster, except secrets. More permissions to specific namespaces can be granted through RBAC. |
| user | specifies user permissions to a cluster, meaning that the user can create namespaces, delete these owned namespaces and can view secrets in owned namespaces. |
Managed applications
Nine provides certain managed applications which help to increase the security when using NKE. Examples are:
- a private container image registry
- sealed-secrets for securely storing secrets in a git repository
- cert-manager for an automated management of TLS certificates