Ubuntu is a Linux distribution, based on Debian and composed mostly of free and open-source software. It is one of the most popular operating systems across multiple public cloud platforms.
Palette supports the following Ubuntu versions to run clusters at scale.
Spectro Golden images include most of the hardening standards recommended by CIS benchmarking v1.5. You can include custom files to be copied over to the nodes and/or execute list of commands before or afterkubeadm init
/join
is executed.
kubeadmconfig:preKubeadmCommands:- echo "Executing pre kube admin config commands"- update-ca-certificates- 'systemctl restart containerd; sleep 3'- 'while [ ! -S /var/run/containerd/containerd.sock ]; do echo "Waiting for containerd..."; sleep 1; done'postKubeadmCommands:- echo "Executing post kube admin config commands"files:- targetPath: /usr/local/share/ca-certificates/mycom.crttargetOwner: "root:root"targetPermissions: "0644""content: |-----BEGIN CERTIFICATE-----MIICyzCCAbOgAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJlcm5ldGVzMB4XDTIwMDkyMjIzNDMyM1oXDTMwMDkyMDIzNDgyM1owFTETMBEGA1UEAxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMdAnZYs1el/6f9PgV/aO9mzy7MvqaZoFnqO7Qi4LZfYzixLYmMUzi+h8/RLPFIoYLizqiDn+P8c9I1uxB6UqGrBt7dkXfjrUZPs0JXEOX9U/6GFXL5C+n3AUlAxNCS5jobNfbLt7DH3WoT6tLcQefTta2K+9S7zJKcIgLmBlPNDijwcQsbenSwDSlSLkGz8v6N27SEYNCV542lbYwn42kbcEq2pzzAaCqa5uEPsR9y+uzUiJpv5tDHUdjbFT8tme3vL9EdCPODkqtMJtCvz0hqd5SxkfeC2L+ypaiHIxbwbWe7GtliROvz9bClIeGY7gFBKjZqpLdbBVjo0NZBTJFUCAwEAAaMmMCQwDgYDVR0PAQH/BAQDAgKkMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQELBQADggEBADIKoE0P+aVJGV9LWGLiOhkiHFv/vPPAQ2MPk02rLjWzCaNrXD7aPPgT/1uDMYMHD36u8rYyf4qPtB8S5REWBM/Yg8uhnpa/tGsaqO8LOFj6zsInKrsXSbE6YMY6+A8qvv5lPWpJfrcCVEo2zOj7WGoJixi4B3fFNI+wih8/+p4xW+n3fvgqVYHJ3zo8aRLXbXwztp00lXurXUyR8EZxyR+6b+IDLmHPEGsY9KOZ9VLLPcPhx5FR9njFyXvDKmjUMJJgUpRkmsuU1mCFC+OHhj56IkLaSJf6z/p2a3YjTxvHNCqFMLbJ2FvJwYCRzsoT2wm2oulnUAMWPI10vdVM+Nc=-----END CERTIFICATE-----
Canonical Ubuntu Advantage extends your infrastructure's security, certified compliance, and 24x7 support. With Palette, enable the UA services when modifying the Pack Values. See below for steps on how to modify the Preset options.
Benefits with UA:
- Extended Security Maintenance
- Kernel Livepatch service to avoid reboots
- FIPS 140-2 Level 1 certified crypto modules
- Common Criteria EAL2
For more information see the Ubuntu Advantage for Infrastructure site.
- Palette allows you to include the Ubuntu Advantage service in the Profile Layers section, when you create a new cluster profile.
- Give the new Pack a Name, Version number, Description, Type, and Tags and click the Next button.
- Choose the cloud provider as the Infrastructure provider and click the Next button.
Edit the Packs with the following parameters:
Pack Type - OS
Registry - Public Repo
Pack Name - Ubuntu
Pack Version - LTS_ 18.4.x or LTS-HWE__18.04 or LTS _20.4.x
- Modify the Ubuntu Pack values to activate the Presets options for the Ubuntu YAML configuration file. You can also make additional modifications to the original
kubeadmconfig
file.
- Click the Ubuntu Advantage checkbox to include the UA parameters listed below in the configuration file.
- Toggle on or off to enable or disable the UA services of your choice.
- Once the file is updated, click the Next layer button to continue to the next layer.
Services | Options | Values | Description |
---|---|---|---|
Token | Enter the token key in the text box. e.g.: C13RaHQDqgvvG3Ys | ||
CIS | enable/disable | true false | Get access to OpenSCAP-based tooling that automates both hardening and auditing with certified content based off of the published CIS benchmarks. Do not access OpenSCAP-based tooling. |
ESM-infra | enable/disable | true false | Continue to receive security updates for the Ubuntu base OS, critical software packages and infrastructure components with Extended Security Maintenance (ESM). ESM provides five additional years of security maintenance, enabling an organization's continuous vulnerability management. Do not receive security updates for Ubuntu Base OS etc. |
FIPS | enable/disable | true false | Federal Information Processing Standards (FIPS) 140 validated cryptography for Linux workloads on Ubuntu. Do not have FIPS 140 validated cryptography for Linux workloads on Ubuntu. |
Livepatch | enable/disable | true false | Livepatch eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Do not activate Livepatch. |
Ubuntu 18.04.6 LTS (Bionic Beaver)