Ubuntu Operating System

Ubuntu is a Linux distribution, based on Debian and composed mostly of free and open-source software. It is one of the most popular operating systems across multiple public cloud platforms.

Palette supports the following Ubuntu versions to run clusters at scale.



Version Supported



Ubuntu LTS__20.04



Ubuntu 20.4.x to Kubernetes Dependency Matrix

Ubuntu VersionKubernetes
LTS__20.041.23.4
1.22.7
1.21.10

Customize Your Image File

Spectro Golden images include most of the hardening standards recommended by CIS benchmarking v1.5. You can include custom files to be copied over to the nodes and/or execute list of commands before or afterkubeadm init/join is executed.



kubeadmconfig:
preKubeadmCommands:
- echo "Executing pre kube admin config commands"
- update-ca-certificates
- 'systemctl restart containerd; sleep 3'
- 'while [ ! -S /var/run/containerd/containerd.sock ]; do echo "Waiting for containerd..."; sleep 1; done'
postKubeadmCommands:
- echo "Executing post kube admin config commands"
files:
- targetPath: /usr/local/share/ca-certificates/mycom.crt
targetOwner: "root:root"
targetPermissions: "0644""
content: |
-----BEGIN CERTIFICATE-----
MIICyzCCAbOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTIwMDkyMjIzNDMyM1oXDTMwMDkyMDIzNDgyM1owFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdA
nZYs1el/6f9PgV/aO9mzy7MvqaZoFnqO7Qi4LZfYzixLYmMUzi+h8/RLPFIoYLiz
qiDn+P8c9I1uxB6UqGrBt7dkXfjrUZPs0JXEOX9U/6GFXL5C+n3AUlAxNCS5jobN
fbLt7DH3WoT6tLcQefTta2K+9S7zJKcIgLmBlPNDijwcQsbenSwDSlSLkGz8v6N2
7SEYNCV542lbYwn42kbcEq2pzzAaCqa5uEPsR9y+uzUiJpv5tDHUdjbFT8tme3vL
9EdCPODkqtMJtCvz0hqd5SxkfeC2L+ypaiHIxbwbWe7GtliROvz9bClIeGY7gFBK
jZqpLdbBVjo0NZBTJFUCAwEAAaMmMCQwDgYDVR0PAQH/BAQDAgKkMBIGA1UdEwEB
/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADIKoE0P+aVJGV9LWGLiOhki
HFv/vPPAQ2MPk02rLjWzCaNrXD7aPPgT/1uDMYMHD36u8rYyf4qPtB8S5REWBM/Y
g8uhnpa/tGsaqO8LOFj6zsInKrsXSbE6YMY6+A8qvv5lPWpJfrcCVEo2zOj7WGoJ
ixi4B3fFNI+wih8/+p4xW+n3fvgqVYHJ3zo8aRLXbXwztp00lXurXUyR8EZxyR+6
b+IDLmHPEGsY9KOZ9VLLPcPhx5FR9njFyXvDKmjUMJJgUpRkmsuU1mCFC+OHhj56
IkLaSJf6z/p2a3YjTxvHNCqFMLbJ2FvJwYCRzsoT2wm2oulnUAMWPI10vdVM+Nc=
-----END CERTIFICATE-----

Ubuntu Advantage

Canonical Ubuntu Advantage extends your infrastructure's security, certified compliance, and 24x7 support. With Palette, enable the UA services when modifying the Pack Values. See below for steps on how to modify the Preset options.

Benefits with UA:

  • Extended Security Maintenance
  • Kernel Livepatch service to avoid reboots
  • FIPS 140-2 Level 1 certified crypto modules
  • Common Criteria EAL2

For more information see the Ubuntu Advantage for Infrastructure site.



Modifying the Presets

  1. Palette allows you to include the Ubuntu Advantage service in the Profile Layers section, when you create a new cluster profile.
  1. Give the new Pack a Name, Version number, Description, Type, and Tags and click the Next button.
  1. Choose the cloud provider as the Infrastructure provider and click the Next button.
  1. Edit the Packs with the following parameters:

    • Pack Type - OS

    • Registry - Public Repo

    • Pack Name - Ubuntu

    • Pack Version - LTS_ 18.4.x or LTS-HWE__18.04 or LTS _20.4.x

  1. Modify the Ubuntu Pack values to activate the Presets options for the Ubuntu YAML configuration file. You can also make additional modifications to the original kubeadmconfig file.
  1. Click the Ubuntu Advantage checkbox to include the UA parameters listed below in the configuration file.
  1. Toggle on or off to enable or disable the UA services of your choice.
  1. Once the file is updated, click the Next layer button to continue to the next layer.

Notable Parameters

ServicesOptionsValuesDescription
TokenEnter the token key in the text box.
e.g.: C13RaHQDqgvvG3Ys
CISenable/disabletrue



false
Get access to OpenSCAP-based tooling that automates both
hardening and auditing with certified content based off of the published
CIS benchmarks.

Do not access OpenSCAP-based tooling.
ESM-infraenable/disabletrue





false
Continue to receive security updates for the Ubuntu base OS,
critical software packages and infrastructure components with
Extended Security Maintenance (ESM). ESM provides five additional
years of security maintenance, enabling an organization's
continuous vulnerability management.

Do not receive security updates for Ubuntu Base OS etc.
FIPSenable/disabletrue


false
Federal Information Processing Standards (FIPS) 140 validated
cryptography for Linux workloads on Ubuntu.

Do not have FIPS 140 validated cryptography for Linux workloads on Ubuntu.
Livepatchenable/disabletrue



false
Livepatch eliminates the need for unplanned maintenance windows
for high and critical severity kernel vulnerabilities by
patching the Linux kernel while the system runs.

Do not activate Livepatch.

References

Ubuntu 18.04.6 LTS (Bionic Beaver)

Ubuntu 20.04.4 LTS (Focal Fossa)

Ubuntu Advantage for Infrastructure