Kubernetes Distribution Compatibility¶
CloudTaser supports any Kubernetes cluster with Linux nodes. This page documents compatibility across managed services, distributions, and local development environments.
Compatibility Matrix¶
Managed Kubernetes Services¶
| Distribution | Operator | Wrapper | eBPF Agent | S3 Proxy | DB Proxy | Notes |
|---|---|---|---|---|---|---|
| GKE Standard (Ubuntu) | Supported | Supported | Supported | Supported | Supported | Recommended for highest protection score |
| GKE Standard (COS) | Supported | Supported | Supported | Supported | Supported | No CONFIG_BPF_KPROBE_OVERRIDE; reactive kill fallback |
| GKE Autopilot | Supported | Supported | Not supported | Supported | Supported | No privileged pods or hostPID |
| EKS (Amazon Linux 2/2023) | Supported | Supported | Supported | Supported | Supported | Kprobe override varies by AMI |
| EKS (Ubuntu) | Supported | Supported | Supported | Supported | Supported | Full support |
| EKS (Bottlerocket) | Supported | Supported | Supported | Supported | Supported | No kprobe override; reactive kill |
| EKS Fargate | Supported | Supported | Not supported | Supported | Supported | No DaemonSets or host access |
| AKS (Ubuntu 22.04) | Supported | Supported | Supported | Supported | Supported | Full enforcement; memfd_secret + kprobe override both available (verified 2026-03-30, kernel 5.15.0-1102-azure) |
| AKS (Azure Linux 3.0) | Supported | Supported | Supported | Supported | Supported | No kprobe override (tracepoint fallback); has memfd_secret + BPF LSM (verified 2026-03-30, kernel 6.6.126.1-1.azl3) |
| OpenShift (RHEL 9) | Supported | Supported | Supported | Supported | Supported | Kprobe override supported |
| OpenShift (RHEL 8) | Supported | Supported | Supported | Supported | Supported | No kprobe override (Red Hat disabled it) |
Self-Managed Distributions¶
| Distribution | Operator | Wrapper | eBPF Agent | Notes |
|---|---|---|---|---|
| kubeadm (Ubuntu 22.04+) | Supported | Supported | Supported | Full support with default Ubuntu kernel |
| k3s | Supported | Supported | Supported | Depends on host OS kernel |
| RKE2 | Supported | Supported | Supported | Depends on host OS kernel |
| Talos Linux | Supported | Supported | Supported | Immutable OS; no shell access for debugging |
Local Development¶
| Distribution | Operator | Wrapper | eBPF Agent | Notes |
|---|---|---|---|---|
| kind | Supported | Supported | Limited | Shares host kernel; eBPF works if host kernel supports it |
| minikube (Docker driver) | Supported | Supported | Limited | Shares host kernel |
| minikube (VM driver) | Supported | Supported | Limited | VM kernel may lack BPF features |
| Docker Desktop (with K8s) | Supported | Supported | Not tested | LinuxKit kernel may lack BPF features |
Component Requirements¶
Operator¶
The operator is a standard Kubernetes controller with a mutating admission webhook. It has minimal requirements:
| Requirement | Minimum | Notes |
|---|---|---|
| Kubernetes | 1.25+ | Uses admissionregistration.k8s.io/v1 |
| Architecture | amd64, arm64 | Multi-arch images available |
| Permissions | ClusterRole | Needs MutatingWebhookConfiguration, Pod, Deployment, DaemonSet, StatefulSet, Secret, Namespace access |
| Network | Webhook reachable from API server | Service cloudtaser-operator-webhook on port 443 |
Wrapper¶
The wrapper runs as PID 1 inside application containers. Requirements depend on the desired protection level:
| Requirement | Minimum | For Full Protection |
|---|---|---|
| Linux kernel | 4.15+ | 5.14+ (for memfd_secret) |
| Architecture | amd64, arm64 | Same |
| libc | glibc 2.17+ or musl | glibc required for LD_PRELOAD interposer |
| Vault connectivity | TLS to EU vault endpoint | Same |
| Capabilities | None required | CAP_IPC_LOCK recommended for mlock |
Static binaries and musl
The wrapper's LD_PRELOAD interposer (for memfd-based secret delivery and SIGHUP rotation) requires glibc. Applications built with musl or statically linked binaries skip the interposer and fall back to standard environment variable injection. The sighup rotation strategy falls back to restart on non-glibc containers.
eBPF Agent¶
The eBPF agent has the strictest requirements because it loads BPF programs into the kernel:
| Requirement | Minimum | For Full Protection |
|---|---|---|
| Linux kernel | 4.15+ (BPF-capable) | 5.8+ (BTF support) |
| BTF | Required for CO-RE | /sys/kernel/btf/vmlinux must exist |
| Capabilities | SYS_ADMIN, SYS_PTRACE, NET_ADMIN, SYS_RESOURCE |
Same |
| Pod security | Privileged | Cannot run under restricted PodSecurityStandard |
| Host access | hostPID: true |
Required for cross-namespace PID monitoring |
| DaemonSet | Must be allowed | Not supported on Fargate or Autopilot |
S3 Proxy and DB Proxy¶
Both proxies are standard sidecar containers with no kernel requirements:
| Requirement | Minimum | Notes |
|---|---|---|
| Kubernetes | 1.25+ | Injected as sidecar by operator |
| Vault connectivity | TLS to EU vault endpoint | For Transit engine key wrapping |
| Architecture | amd64, arm64 | Multi-arch images available |
Kernel Requirements Per Feature¶
| Feature | Kernel Config | Min Version | Impact if Missing |
|---|---|---|---|
| BPF syscall | CONFIG_BPF_SYSCALL |
4.15+ | eBPF agent cannot start |
| BTF (CO-RE) | CONFIG_DEBUG_INFO_BTF |
5.2+ | eBPF agent cannot start |
| kprobe override | CONFIG_BPF_KPROBE_OVERRIDE |
4.16+ | Falls back to reactive kill |
| memfd_secret | CONFIG_SECRETMEM |
5.14+ | Falls back to memfd_create + mlock |
| mlock | Standard | Any | Secrets may be swapped to disk |
| io_uring blocking | Tracepoints | 5.1+ | io_uring bypass possible |
See Kernel Compatibility for the full kernel support matrix.
Known Issues Per Distribution¶
GKE Autopilot¶
- eBPF agent cannot run (no privileged pods, no
hostPID) - Wrapper injection works normally
- Protection score is lower (no eBPF enforcement points)
- Workaround: use GKE Standard for workloads requiring runtime enforcement
EKS Fargate¶
- eBPF agent cannot run (no DaemonSets on Fargate)
- Wrapper injection works normally
- Schedule enforcement-critical workloads on managed node groups instead of Fargate profiles
AKS with Azure Linux 3.0¶
Verified 2026-03-30 on kernel 6.6.126.1-1.azl3
CONFIG_BPF_KPROBE_OVERRIDEis NOT set — eBPF agent falls back to tracepoint-only reactive kill (21 probes vs 36 on Ubuntu)CONFIG_SECRETMEM=y—memfd_secretIS availableCONFIG_BPF_LSM=yand BPF is in the boot LSM chain — BPF LSM programs work- Protection score impact: eBPF enforcement check scores lower (reactive kill vs synchronous blocking)
AKS with Ubuntu 22.04¶
Verified 2026-03-30 on kernel 5.15.0-1102-azure
CONFIG_SECRETMEMis available —memfd_secretworks (contradicts earlier reports from older node images)CONFIG_BPF_KPROBE_OVERRIDE=y— full synchronous blocking enforcement (36 probes)- BPF LSM is compiled in but not in the boot LSM chain — BPF LSM programs won't load
- Recommended for highest protection score on AKS
AKS Helm upgrade note¶
AKS has a built-in admissionsenforcer that modifies webhook namespaceSelector fields. The Helm chart includes admissions.enforcer/disabled: "true" annotations to prevent SSA conflicts during upgrades.
OpenShift on RHEL 8¶
- Red Hat explicitly disabled
CONFIG_BPF_KPROBE_OVERRIDEin the RHEL 8 kernel config - eBPF agent uses reactive kill fallback
- Upgrade to OpenShift on RHEL 9 for synchronous blocking support
kind / minikube (local development)¶
- eBPF features depend on the host kernel (containers share the host kernel)
- On macOS with Docker Desktop, the LinuxKit VM kernel may lack BTF support
- For full eBPF testing locally, use a Linux host with a 5.8+ kernel
- The wrapper and operator work normally in all local environments
Talos Linux¶
- Immutable OS with no shell access
- Debugging requires
talosctlinstead ofkubectl execon nodes - Kernel configuration supports BPF and BTF by default
- All CloudTaser components work normally
Checking Compatibility¶
Use cloudtaser validate to check cluster compatibility:
This checks:
- Vault connectivity and health
- Kubernetes auth configuration
- Node kernel versions
- eBPF agent availability per node
For per-node kernel checks:
# Check kernel versions across all nodes
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\t"}{.status.nodeInfo.osImage}{"\n"}{end}'
# Check BPF kprobe override support on a specific node
kubectl debug node/<node-name> -it --image=busybox -- \
zcat /proc/config.gz 2>/dev/null | grep CONFIG_BPF_KPROBE_OVERRIDE