Kubernetes
Data Security
As part of DigitalOcean’s shared responsibility model, you are responsible for securing the data you store on our services.
For data security purposes, we recommend that you protect your DigitalOcean account credentials and set up individual user accounts with DigitalOcean Teams to help maintain proper access for your services. We also recommend that you secure your data in the following additional ways:
-
Following our Recommended Steps to Securing a DigitalOcean Kubernetes Cluster tutorial
-
Use Secrets to store sensitive information
-
Use a security scanner from a public repository
On Kubernetes 1.19 and later versions, we now provision two fully-managed firewalls for each new Kubernetes cluster. One firewall manages the connection within the VPC, and the other manages connections between worker nodes and the public internet.
Encryption At Rest
Kubernetes Secrets maintained in etcd are encrypted at rest. This is an additional layer of hardware encryption that provides even stronger security.
Encryption In Transit
All traffic to and from the Kubernetes API is secured by TLS.
Logging and Monitoring
For more information on how to set up monitoring for Kubernetes, please refer to the Kubernetes Monitoring Documentation. DigitalOcean does not offer audit logging at this time.
Compliance
Kubernetes is audited by third-parties as part of DigitalOcean’s SOC 2 Type 2 report. For details on how to request access to this report, please visit our Trust Platform Certifications page.
Infrastructure Security
As a platform as a service offering, DigitalOcean maintains the security of the infrastructure that Kubernetes is hosted on. For more details, please review our Infrastructure Security Overview page.
Data Center Location Availability
You can enable high-availability for your Kubernetes cluster. Please refer to the High Availability Documentation. At least one data center in every region supports Kubernetes. Under certain compliance regimes like the Health Insurance Portability and Accountability Act (HIPAA) in the United States, you may be required to build your services using a highly available configuration. If HIPAA is applicable to your business, please ensure you visit our HIPAA information site to learn more.
Key Management
DigitalOcean manages encryption keys for etcd, TLS keys, and certificates for the Kubernetes API. We hand out credentials in the form of configuration files to your Kubernetes clusters (aka the kubeconfig) You are responsible for securing those credentials.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.