Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Announcing KubeArmor Support for EKS-Anywhere

by | Aug 15, 2023

This blog cover the steps to deploy KubeArmor on Amazon EKS Anywhere. It also covers the security features from KubeArmor in relation to Amazon Elastic Kubernetes Service Anywhere.
Reading Time: 5 minutes


Amazon EKS Anywhere allows you to deploy and operate Kubernetes clusters on your own infrastructure, with optional AWS support.
It lets you perform full lifecycle management of many Kubernetes clusters, as well as offering up-to-date and patched software for a more dependable on-premises Kubernetes environment.
As deployment targets, EKS Anywhere is compatible with Bare Metal, CloudStack, and VMware vSphere.
KubeArmor, which interfaces with EKS-Anywhere, offers users previously unheard-of control over system behavior. Users may limit file system access, manage process spawning inside pods, guard against privilege escalation assaults, and block access to critical assets.
KubeArmor integration with EKS Anywhere improves cluster administration and ensures environmental safety.

Kubernetes On-Prem with Amazon EKS Anywhere

Amazon EKS Anywhere allows installing and managing Kubernetes clusters on your own infrastructure, with optional support from AWS. EKS Anywhere supports full lifecycle management of multiple Kubernetes clusters that can operate completely independently of any AWS services. It provides open-source software that’s up to date and patched so you can have an on-premises Kubernetes environment that’s more reliable than a self-managed Kubernetes offering. EKS Anywhere is compatible with Bare Metal, CloudStack, and VMware vSphere as deployment targets.

Securing Amazon EKS Anywhere At Runtime With KubeArmor

Although EKS Anywhere can make cluster administration easier, the issue of protecting how Kubernetes namespaces, pods, workloads, and clusters interaction and access of shared resources remains an unsolved problem. It is imperative that workloads are protected at runtime since most of the attacks such as cryptomining, ransomware, data exfiltration, denial of service are manifest once the workloads are deployed in target k8s environment.

Amazon strongly endorses the adoption of safety protocols for EKS, in the following crucial security domains:

  • Identity and Access Management
  • Pod Security
  • Runtime Security
  • Network Security
  • Regulatory Compliance
  • Incident Response and Forensics

In line with the recommended safety guidelines for Amazon EKS, KubeArmor comprehensively fulfills these requirements. Getting up to speed on the Kubernetes threat environment proves to be difficult for security teams. New responsibilities for Kubernetes infrastructure and workloads lead to high overhead. Furthermore, ensuring that platform and application teams have consistency and complete visibility across environments for configurations and settings to fulfill AWS EKS security best practices can be difficult. KubeArmor helps you take care of most of these for you.

Runtime Enforcement

KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM for runtime enforcement of user applied policies. KubeArmor simplifies cloud-native runtime security by integrating seamlessly with Amazon EKS-Anywhere.

By aligning KubeArmor with EKS-Anywhere, users gain unprecedented control over system behavior. You get to:

  • Restrict file system access for specific processes.
  • Govern process spawning within pods.
  • Prevent privilege escalation attacks
  • Prevent access to sensitive assets
  • Apply Process allow-listing based rules
  • Apply Process based Network Access control
  • And many more…

Use Cases for EKS-Anywhere

  1. Prevention of Backdoor Operations:
  2. Detection of unauthorized fetch-store-exec operations from compromised processes or malicious code.
  3. Thwarts unauthorized network interface usage.
  4. Averts unauthorized file system manipulations.
  5. Halts unauthorized process execution, termination, and thread hijacking.

This integration empowers the integrity of your clusters to deliver optimal security across the Kubernetes workload.

Application Behavior

For cloud-native deployments, understanding application actions and interactions is complex. Lack of visibility can lead to security blind spots. 

KubeArmor using eBPF (Extended Berkeley Packet Filter) for observability/monitoring solves these issues by outlining a summarized view of application behavior. You can streamline your application monitoring on EKS Anywhere by letting KubeArmor highlight all these attack vectors.  

KubeArmor offers a clear look into system and application behavior, simplifying insights. It compiles and presents data, helping comprehend application actions.

  1. Process Insights: Identifies executing processes within pods. Tracks processes and their parent processes.
  2. File Analysis: Monitors file system access by different processes.

Network Observations: Examines Ingress/Egress connections from pods. Tracks server binds within pods.

Harden Infrastructure

KubeArmor offers robust security for Kubernetes and cloud-native platforms. By applying hardening policies from trusted frameworks like CIS, MITRE, NIST-800-53, and STIGs it streamlines workload security for Amazon EKS Anywhere environment. 

The ready-made applicability and a simple setup are added advantages. Tailored policies for your workloads help you to understand their impact on the system. This way you can make informed security decisions while maintaining functionality.

Least Permissive Access

KubeArmor adds a zero trust posture in Kubernetes clusters by allowing users to define allow-based policies. It means you get to restrict specific operations and audit all others. Authorized activities are allowed and deviations from expected behavior are denied. Such a zero trust posture protects sensitive data, prevents system breaches, and maintains cluster integrity. 

KubeArmor’s zero-trust capabilities in Amazon EKS Anywhere elevates your security stance. For instance, designated pods or containers can only invoke a predefined set of binaries during runtime. The allow-based rules are granular and atomic. Other processes fall under denial as per the default security guidelines.

Network Microsegmentation
Microsegmentation is a network security technique that allows security architects to create network security zone borders per machine in data centers and cloud deployments to separate and safeguard workloads independently. It is currently utilized on both the client network and the data center network.  Security is inherently linked to network segmentation, and KubeArmor delivers on this front. It allows isolating workloads, limiting lateral movement, and cutting the attack surface. This is done via:

  • Cluster-level isolation
  • Network-level Control
  • IP-based segmentation
  • Network Security Enforcement

Deploying KubeArmor on Amazon EKS Anywhere

STEP 1: Install KubeArmorOperator using the official kubearmor Helm chart repo.

helm repo add kubearmor https:
helm repo update kubearmor
helm upgrade –install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor

STEP 2: Apply default KubeArmor configuration

kubectl apply -f -n kubearmor

This sets up the KubeArmor security solution on your Amazon EKS Anywhere cluster using Helm and applies default configurations for enhanced protection.

Closing Thoughts

We are excited to announce the integration of KubeArmor with Amazon EKS Anywhere. KubeArmor’s comprehensive features covering both observability and enforcement makes the management of your clusters inherently more secure. As you take charge of managing your clusters, KubeArmor ensures that your environment always remains protected.  EKS Anywhere for bare metal allows for more widespread adoption of on-premise K8s installation. The vulnerability assessment and K8s security by KubeArmor assists organizations in managing risks in cloud-native settings. Integrate security and adapt to hybrid cloud architectures with unified visibility.

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions