Security For Linux Nodes

This page describes security considerations and best practices specific to the Linux operating system.

Protection for Secret data on nodes

On Linux nodes, memory-backed volumes (such as secret volume mounts, or emptyDir with medium: Memory) are implemented with a tmpfs filesystem.

If you have swap configured and use an older Linux kernel (or a current kernel and an unsupported configuration of Kubernetes), memory backed volumes can have data written to persistent storage.

The Linux kernel officially supports the noswap option from version 6.3, therefore it is recommended the used kernel version is 6.3 or later, or supports the noswap option via a backport, if swap is enabled on the node.

Read swap memory management for more info.

Last modified June 22, 2025 at 4:08 PM PST: Add a linux-security doc entry (24b1f35dfb)

Security For Linux Nodes

Protection for Secret data on nodes

Feedback