Kubernetes Distribution Compatibility¶
cloudtaser supports any Kubernetes cluster with Linux nodes. This page documents compatibility across managed services, distributions, and local development environments.
Compatibility Matrix¶
Managed Kubernetes Services¶
| Distribution | Operator | Wrapper | eBPF Agent | S3 Proxy | DB Proxy | Notes |
|---|---|---|---|---|---|---|
| GKE Standard (Ubuntu) | Supported | Supported | Supported | Supported | Supported | Recommended for highest protection score |
| GKE Standard (COS) | Supported | Supported | Supported | Supported | Supported | No CONFIG_BPF_KPROBE_OVERRIDE; reactive kill fallback |
| GKE Autopilot | Supported | Supported | Not supported | Supported | Supported | No privileged pods or hostPID |
| EKS (Amazon Linux 2/2023) | Supported | Supported | Supported | Supported | Supported | Kprobe override varies by AMI |
| EKS (Ubuntu) | Supported | Supported | Supported | Supported | Supported | Full support |
| EKS (Bottlerocket) | Supported | Supported | Supported | Supported | Supported | No kprobe override; reactive kill |
| EKS Fargate | Supported | Supported | Not supported | Supported | Supported | No DaemonSets or host access |
| AKS (Ubuntu 22.04) | Supported | Supported | Supported | Supported | Supported | Full enforcement; memfd_secret + kprobe override both available (verified 2026-03-30, kernel 5.15.0-1102-azure) |
| AKS (Azure Linux 3.0) | Supported | Supported | Supported | Supported | Supported | No kprobe override (tracepoint fallback); has memfd_secret + BPF LSM (verified 2026-03-30, kernel 6.6.126.1-1.azl3) |
| OpenShift (RHEL 9) | Supported | Supported | Supported | Supported | Supported | Kprobe override supported |
| OpenShift (RHEL 8) | Supported | Supported | Supported | Supported | Supported | No kprobe override (Red Hat disabled it) |
Self-Managed Distributions¶
| Distribution | Operator | Wrapper | eBPF Agent | Notes |
|---|---|---|---|---|
| kubeadm (Ubuntu 22.04+) | Supported | Supported | Supported | Full support with default Ubuntu kernel |
| k3s | Supported | Supported | Supported | Depends on host OS kernel |
| RKE2 | Supported | Supported | Supported | Depends on host OS kernel |
| Talos Linux | Supported | Supported | Supported | Immutable OS; no shell access for debugging |
Local Development¶
| Distribution | Operator | Wrapper | eBPF Agent | Notes |
|---|---|---|---|---|
| kind | Supported | Supported | Limited | Shares host kernel; eBPF works if host kernel supports it |
| minikube (Docker driver) | Supported | Supported | Limited | Shares host kernel |
| minikube (VM driver) | Supported | Supported | Limited | VM kernel may lack BPF features |
| Docker Desktop (with K8s) | Supported | Supported | Not tested | LinuxKit kernel may lack BPF features |
Component Requirements¶
Operator¶
The operator is a standard Kubernetes controller with a mutating admission webhook. It has minimal requirements:
| Requirement | Minimum | Notes |
|---|---|---|
| Kubernetes | 1.28+ | Uses admissionregistration.k8s.io/v1 |
| Architecture | amd64, arm64 | Multi-arch images available |
| Permissions | ClusterRole | Needs MutatingWebhookConfiguration, Pod, Deployment, DaemonSet, StatefulSet, Secret, Namespace access |
| Network | Webhook reachable from API server | Service cloudtaser-operator-webhook on port 443 |
Wrapper¶
The wrapper runs as PID 1 inside application containers. Requirements depend on the desired protection level:
| Requirement | Minimum | For Full Protection |
|---|---|---|
| Linux kernel | 4.15+ | 5.14+ (for memfd_secret) |
| Architecture | amd64, arm64 | Same |
| libc | Any (glibc / musl / static) | Same |
| OpenBao connectivity | TLS to EU OpenBao endpoint | Same |
| Capabilities | None required | CAP_IPC_LOCK recommended for mlock |
Static binaries, musl, and libc independence
The wrapper is a pure-Go binary that delivers secrets to the application via execve() environment-variable inheritance -- the child process reads them with os.Getenv / getenv / process.env depending on language. No dynamic linker is required. Statically-linked Go (CGO_ENABLED=0), Rust x86_64-unknown-linux-musl, hand-compiled -static C, scratch / distroless / alpine base images -- all work unmodified with zero code changes. See Wrapper Design for the fork+exec chain.
Applications whose threat model rejects even the transient /proc/PID/environ window (where the env var exists during the child's lifetime, blocked from cross-process reads by the eBPF layer) can opt into the cloudtaser Go SDK for direct memfd_secret reads. That's an enhancement for the strongest posture, not a workaround for static Go.
eBPF Agent¶
The eBPF agent has the strictest requirements because it loads BPF programs into the kernel:
| Requirement | Minimum | For Full Protection |
|---|---|---|
| Linux kernel | 4.15+ (BPF-capable) | 5.8+ (BTF support) |
| BTF | Required for CO-RE | /sys/kernel/btf/vmlinux must exist |
| Capabilities | SYS_ADMIN, SYS_PTRACE, NET_ADMIN, SYS_RESOURCE |
Same |
| Pod security | Privileged | Cannot run under restricted PodSecurityStandard |
| Host access | hostPID: true |
Required for cross-namespace PID monitoring |
| DaemonSet | Must be allowed | Not supported on Fargate or Autopilot |
S3 Proxy and DB Proxy¶
Both proxies are standard sidecar containers with no kernel requirements:
| Requirement | Minimum | Notes |
|---|---|---|
| Kubernetes | 1.28+ | Injected as sidecar by operator |
| OpenBao connectivity | TLS to EU OpenBao endpoint | For Transit engine key wrapping |
| Architecture | amd64, arm64 | Multi-arch images available |
Kernel Requirements Per Feature¶
| Feature | Kernel Config | Min Version | Impact if Missing |
|---|---|---|---|
| BPF syscall | CONFIG_BPF_SYSCALL |
4.15+ | eBPF agent cannot start |
| BTF (CO-RE) | CONFIG_DEBUG_INFO_BTF |
5.2+ | eBPF agent cannot start |
| kprobe override | CONFIG_BPF_KPROBE_OVERRIDE |
4.16+ | Falls back to reactive kill |
| memfd_secret | CONFIG_SECRETMEM |
5.14+ | Falls back to memfd_create + mlock |
| mlock | Standard | Any | Secrets may be swapped to disk |
| io_uring blocking | Tracepoints | 5.1+ | io_uring bypass possible |
See Kernel Compatibility for the full kernel support matrix.
Known Issues Per Distribution¶
GKE Autopilot¶
- eBPF agent cannot run (no privileged pods, no
hostPID) - Wrapper injection works normally
- Protection score is lower (no eBPF enforcement points)
- Workaround: use GKE Standard for workloads requiring runtime enforcement
EKS Fargate¶
- eBPF agent cannot run (no DaemonSets on Fargate)
- Wrapper injection works normally
- Schedule enforcement-critical workloads on managed node groups instead of Fargate profiles
AKS with Azure Linux 3.0¶
Verified 2026-03-30 on kernel 6.6.126.1-1.azl3
CONFIG_BPF_KPROBE_OVERRIDEis NOT set - eBPF agent falls back to tracepoint-only reactive kill (21 probes vs 36 on Ubuntu)CONFIG_SECRETMEM=y-memfd_secretIS availableCONFIG_BPF_LSM=yand BPF is in the boot LSM chain - BPF LSM programs work- Protection score impact: eBPF enforcement check scores lower (reactive kill vs synchronous blocking)
AKS with Ubuntu 22.04¶
Verified 2026-03-30 on kernel 5.15.0-1102-azure
CONFIG_SECRETMEMis available -memfd_secretworks (contradicts earlier reports from older node images)CONFIG_BPF_KPROBE_OVERRIDE=y- full synchronous blocking enforcement (36 probes)- BPF LSM is compiled in but not in the boot LSM chain - BPF LSM programs won't load
- Recommended for highest protection score on AKS
AKS Helm upgrade note¶
AKS has a built-in admissionsenforcer that modifies webhook namespaceSelector fields. The Helm chart includes admissions.enforcer/disabled: "true" annotations to prevent SSA conflicts during upgrades.
OpenShift on RHEL 8¶
- Red Hat explicitly disabled
CONFIG_BPF_KPROBE_OVERRIDEin the RHEL 8 kernel config - eBPF agent uses reactive kill fallback
- Upgrade to OpenShift on RHEL 9 for synchronous blocking support
kind / minikube (local development)¶
- eBPF features depend on the host kernel (containers share the host kernel)
- On macOS with Docker Desktop, the LinuxKit VM kernel may lack BTF support
- For full eBPF testing locally, use a Linux host with a 5.8+ kernel
- The wrapper and operator work normally in all local environments
Talos Linux¶
- Immutable OS with no shell access
- Debugging requires
talosctlinstead ofkubectl execon nodes - Kernel configuration supports BPF and BTF by default
- All cloudtaser components work normally
Multi-Cluster Support¶
A single EU-hosted OpenBao can serve multiple Kubernetes clusters across different cloud providers and regions. The CLI's migration plan workflow supports this through per-cluster plan files:
# Generate plans for each cluster
cloudtaser-cli target discover --kubeconfig ~/.kube/gke-eu -o plan-gke.yaml
cloudtaser-cli target discover --kubeconfig ~/.kube/eks-eu -o plan-eks.yaml
# Apply both plans to the same vault
cloudtaser-cli source apply-plan plan-gke.yaml --openbao-addr https://vault.eu.example.com --token hvs.TOKEN
cloudtaser-cli source apply-plan plan-eks.yaml --openbao-addr https://vault.eu.example.com --token hvs.TOKEN
Each cluster gets its own plan. All plans point to the same OpenBao. OpenBao policies and Kubernetes auth roles are per-namespace, so clusters can share OpenBao paths or use isolated paths depending on the naming convention.
See Enterprise Deployment Architecture for the full multi-cluster topology.
Checking Compatibility¶
Use cloudtaser-cli target validate to check cluster compatibility:
This checks:
- OpenBao connectivity and health
- Kubernetes auth configuration
- Node kernel versions
- eBPF agent availability per node
For per-node kernel checks:
# Check kernel versions across all nodes
kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.kernelVersion}{"\t"}{.status.nodeInfo.osImage}{"\n"}{end}'
# Check BPF kprobe override support on a specific node
kubectl debug node/<node-name> -it --image=busybox -- \
zcat /proc/config.gz 2>/dev/null | grep CONFIG_BPF_KPROBE_OVERRIDE