Learn how to change the configuration of the security update policy for your cluster.
The OVHcloud Managed Kubernetes service provides Kubernetes clusters without the hassle of installing or operating them. At OVHcloud, we like to provide you with the best products and services. For us, security is important. That’s why, by default, we apply security updates on your Kubernetes clusters.
Requirements
- an OVHcloud Managed Kubernetes cluster
Instructions
Configure security update policy through the OVHcloud Control Panel
From the OVHcloud Control Panel:
- Select
Public Cloud
from the top navigation bar. - Choose your project.
- Click
Managed Kubernetes Service
in the left-hand menu. - Click the more options
...
button to the right of your cluster, and chooseManage cluster
.
From the Management panel, click on Change security policy
.
A pop-up displays all the options you can have: Maximum security, Minimum unavailability, and Do not update.
- Maximum security. Apply (’patch version’) security updates to my Kubernetes service to guarantee service security and stability. The update may result in your nodes being unavailable for a few minutes while we perform the rolling update.
- Minimum unavailability. Apply (’patch version’) security updates to my Kubernetes service to guarantee service security and stability. If we cannot avoid downtime while performing a rolling update on your nodes, we will report this to you. We advise sizing your cluster to ensure that it can be updated at any time.
- Do not update. We do not recommend this choice. OVHcloud reserves the right to update Kubernetes components or your nodes on an exceptional basis, in critical cases that limit the security of our infrastructure.
The security policy Maximum security is configured by default. Even though we recommend that you keep this setting, you can choose the security policy that is convenient for you.
Choose an option and click Confirm
.
Configure security update policy through Terraform
Since version 0.20+ of our OVHcloud Terraform provider, you can configure the security update policy at cluster creation and update also through Terraform.
Getting your cluster/API tokens information
The “OVHprovider” needs to be configured with a set of credentials:
- an
application_key
- an
application_secret
- a
consumer_key
Why?
Behind the scenes, the “OVHcloud Terraform provider” is making requests to OVHcloud APIs.
To retrieve this information, please follow our First Steps with the OVHcloud APIs tutorial.
Specifically, you have to generate these credentials via the OVHcloud token generation page with the following rights:
When you have successfully generated your OVHcloud tokens, please save them as you will have to use them very soon.
The last information we need is the service_name
: it is the ID of your Public Cloud project.
How to get it?
In the Public Cloud section, you can retrieve your service name ID thanks to the Copy to clipboard
button.
You will also use this information in the Terraform resources definition files.
Terraform instructions
First, create a provider.tf
file with the minimum version, US endpoint (“ovh-us”), and the keys previously retrieved in this guide.
Terraform 0.13 and later:
Terraform 0.12 and earlier:
Alternatively the secret keys can be retrieved from your environment.
OVH_ENDPOINT
OVH_APPLICATION_KEY
OVH_APPLICATION_SECRET
OVH_CONSUMER_KEY
This second method (or a similar alternative) is recommended to avoid storing secret data in a source repository.
Here, we defined the ovh-us
endpoint because we want to call the OVHcloud US API, but other endpoints exist depending on your needs:
-
ovh-us
for OVHcloud US API -
ovh-ca
for OVHcloud North America API -
ovh-eu
for OVHcloud Europe API
Create a variables.tf
file with service_name:
Define the resources you want to create in a new file called ovh_kube_cluster.tf
:
In the resources configuration, we ask Terraform to create a Kubernetes cluster, in the US-EAST-VA-1 region, using Kubernetes version 1.31 (the last and recommended version at the time we wrote this tutorial), with a security update policy of “Do not update”.
Now we need to initialize Terraform, generate a plan, and apply it.
The init
command will initialize your working directory which contains .tf
configuration files.
It’s the first command to execute for a new configuration, or it can be executed after doing a checkout of an existing configuration in a given git repository.
The init
command will:
- Download and install Terraform providers/plugins
- Initialize the backend (if defined)
- Download and install modules (if defined)
Now, we can generate our plan:
Thanks to the plan
command, we can check what Terraform wants to create, modify, or remove.
The plan is okay for us, so let’s apply it:
Update
If you want to update the security policy, you can also do it through Terraform. Edit the ovh_kube_cluster.tf
file with this content:
And apply it:
Destroy
If you want to delete the Kubernetes cluster you added through Terraform, you have to execute the terraform destroy
command:
For more information and tutorials, please see our other Managed Kubernetes or Platform as a Service guides. You can also explore the guides for other OVHcloud products and services.
If you need training or technical assistance to implement our solutions, contact your sales representative or click on this link to get a quote and ask our Professional Services experts for a custom analysis of your project.