Skip to main content

Security Concepts

Kubernetes Distribution

An NKE cluster is based on a Rancher Kubernetes Engine 2 (RKE2) cluster. RKE2 is a CNCF-certified Kubernetes distribution which eases the installation and update of the whole Kubernetes cluster.

Operating System

Nine uses Flatcar OS as the underlying Linux operating system on each cluster node.

From the FAQ of Flatcar OS:

The OS image shipped by Flatcar Container Linux includes just the minimal amount of tools to run container workloads. This means that the attack surface is significantly reduced. On top of this, as the OS image is immutable (/usr is a read-only partition and there’s no package manager to install packages), which means there’s less chance of both accidental and intentional breakage.

Upgrades

Nine provides periodic upgrades of new operating system images on NKE cluster nodes. These upgrades are automatically rolled out in staged phases on all NKE clusters in the weekly maintenance window.

Networking

Nine uses Cilium as the networking provider in NKE clusters. Cilium supports Kubernetes NetworkPolicy resources to secure inbound and outbound network traffic.

Firewall

NKE cluster nodes have a publicly reachable IP address assigned by default. Nine restricts access to certain services running on the nodes of an NKE cluster. This includes SSH access, which is only permitted via special VPN servers managed by Nine.

Permissions

Authentication

Nine provides central authentication for managed applications. Services, like Grafana, Argo CD or the Kubernetes API server itself, are secured via OIDC.

In addition to centralized management for user access, OIDC also allows you to set up two-factor authentication (2FA).

Authorization

Nine provides default cluster-wide RBAC (role-based access control) roles which can be assigned to users or service accounts:

NameDescription
adminSpecifies admin permissions to a cluster, meaning that the subject will be able to create new namespaces, update these and also delete these user created namespaces and all resources contained in them. Access to certain namespaces cannot be revoked.
viewerSpecifies viewer permissions to a cluster, meaning that the user will be able to view all resources on the cluster, except secrets. More permissions to specific namespaces can be granted through RBAC.
userSpecifies user permissions to a cluster, meaning that the user can create namespaces, delete these owned namespaces and can view secrets in owned namespaces.

Cluster Admin

Administrators in NKE have restricted permissions compared to a full cluster-admin. All permissions are given in namespaces only. Administrators can create, update, and delete all namespaces which are not owned by Nine, but they do not have unrestricted cluster wide cluster-admin access. For example the creation, modification and deletion of Kubernetes ClusterRoleBindings is not allowed.

Custom Resource Definitions (CRDs)

Installing CRDs is currently not possible on NKE clusters for the following reasons:

  • Conflicts: CRDs are cluster-wide resources, which creates a risk of conflicts with pre-installed CRDs or those used by managed add-ons.
  • Security Permissions: CRDs are often paired with Controllers or Operators requiring broad cluster-wide permissions (such as reading all secrets). Granting these permissions could compromise the security of Nine's management components (e.g., alerting systems) running on the cluster.
  • Managed Approach: We aim to provide popular services requiring CRDs as managed add-ons to handle maintenance and updates for you.

We recognize the growing importance of CRDs and the requirement for custom controllers. If your use case requires specific CRDs, please reach out to us at so we can better understand your needs.

Managed Applications

Nine provides certain managed applications which help to increase the security when using NKE. Examples are: