Platform Compatibility¶
CloudTaser runs on any Kubernetes cluster with Linux nodes. However, the protection score varies by platform due to kernel configuration differences.
Protection Score by Platform¶
| Platform | Node OS | memfd_secret | kprobe enforcement | Max Score |
|---|---|---|---|---|
| GKE | Ubuntu | ✅ | ✅ | 100/115 |
| GKE | COS | ✅ | ❌ | 85/115 |
| AKS | Ubuntu 22.04 | ❌ | ✅ | 85/115 |
| AKS | Azure Linux | ✅ | ❌ | 85/115 |
| EKS | Ubuntu | ✅ | ✅ | ~100/115 |
| EKS | Amazon Linux | ❓ | ❓ | TBD |
| EKS | Bottlerocket | ❓ | ❌ | TBD |
| K3s/kubeadm | Ubuntu 22.04+ | Depends on kernel | ✅ | Up to 100/115 |
Recommended: GKE with Ubuntu nodes¶
For the highest protection score (100/115), use GKE with Ubuntu node images:
gcloud container node-pools create cloudtaser-pool \
--cluster=my-cluster \
--image-type=UBUNTU_CONTAINERD \
--machine-type=e2-standard-4
This is the only managed Kubernetes option that provides both memfd_secret (kernel-invisible memory) and CONFIG_BPF_KPROBE_OVERRIDE (synchronous syscall blocking).
Why scores differ¶
memfd_secret (15 points)¶
memfd_secret() creates memory regions invisible to the kernel itself. Requires CONFIG_SECRETMEM=y in the kernel.
- Available on: GKE (COS + Ubuntu), AKS Azure Linux, kernels 5.14+ with CONFIG_SECRETMEM
- Missing on: AKS Ubuntu 22.04 (Azure kernel disables CONFIG_SECRETMEM despite 5.14+ kernel)
- Fallback:
memfd_create + mlock— secrets still protected from swap/core dumps but visible to kernel modules
kprobe enforcement (15 points)¶
bpf_override_return() allows the eBPF agent to synchronously block syscalls (e.g., prevent /proc/environ reads). Requires CONFIG_BPF_KPROBE_OVERRIDE=y.
- Available on: Ubuntu kernels (Canonical enables this by default)
- Missing on: Cloud-native kernels (Azure Linux, GKE COS, Bottlerocket)
- Fallback: Reactive kill — the agent detects the violation and terminates the process after the fact
Why cloud kernels disable kprobe override¶
Cloud providers disable CONFIG_BPF_KPROBE_OVERRIDE because:
- It was designed for kernel developer testing, not production use
- It can be used offensively (block kill signals, bypass LSM hooks)
- Minimal attack surface is a design goal for cloud-native kernels
See eBPF issue #95 for detailed research.
Remaining 15 points¶
The remaining points require infrastructure changes not available on standard managed Kubernetes:
- cpu_mitigations (5 pts): Kernel boot parameters for CPU vulnerability mitigations. Not configurable on managed K8s.
- confidential_vm (10 pts): AMD SEV-SNP hardware memory encryption. Requires specific VM types (GKE:
--enable-confidential-nodes, AKS: DCasv5/ECasv5).