Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Implementing Runtime Security using KubeArmor

by | Oct 28, 2021

Reading Time: 3 minutes

Accuknox is the only Cloud Workload Protection Platform (CWPP) that provides
extensive protection to the application vector at runtime using KubeArmor Open source technology. Kubearmor is an open source project that was founded at
Accuknox and it continues to be the core maintainer of the project.

What is Kubearmor?

  • KubeArmor is an open source application firewalling solution built for Cloud
    Native workloads.
  • KubeArmor uses Linux Security Modules (LSMs – AppArmor or SELinux to enforce
    application security), Syscall Filtering and soon eBPF LSMs to support
    hardening of a given process or container while interacting with the host,
    resources or other processes locally or across the network.
  • Additionally, KubeArmor produces alert logs for policy violations that
    happen in containers by monitoring the operations of containers’ processes
    using its eBPF-based system monitor.
  • KubeArmor allows operators to define security policies based on Kubernetes
    metadata and simply apply them into Kubernetes.
  • Additionally KubeArmor supports virtual machine and baremetal workloads at
    this moment of time.

What can you do with KubeArmor and what is Runtime Application Security?

With KubeArmor, users can create an application firewall restrictions that
allow us to restrict

  • What kind of processes can be spawned from a given process
  • What kind of network access is allowed
  • What kind of file access is allowed
  • What kinds of general system capabilities are permitted to the app.

Process Graph

Accuknox also automatically builds a full profile of the application at
runtime a feature we call as the process graph. The process graph is a
runtime profile of the application segmented as application and network
specific behaviors and is grouped by specific accesses over time.

The process graph provides full transparency into the application’s runtime
behavior and easily allows users to select / create create policies to block
specific unknown behaviors without quarantining the entire application.

Setting up KubeArmor

Setting up Kubearmor using Accuknox cloud platform typically requires
installation of an agent in a Kubernetes environment and can be done using the
installation guide given below (for GKE):

Deploy KubeArmor for GKE

kubectl apply -f

Deploy KubeArmor Host Policy

kubectl apply -f

Deploy KubeArmor Policy

kubectl apply -f

KubeArmor policy specification is provided on this link

Creating Runtime Application Security Policies on Accuknox

Creating application security policies can be done as Yaml or using the UI
that the accuknox control plane provides. Users have several options for
application security policies including the ability to restrict specific

In the above examples, we have created a simple firewall that allows a
specific container to be able to allow a certain path / process to run as well
as provide access to a certain directory.

The policy as code generated for the the given policies as show below.

Application developers can shift this security policy to the left and make
it as a part of the deployment artifacts.

Auto Discovery of KubeArmor Policies

Accuknox’s enterprise offering provides full support of auto-discovery of policies on cloud workloads. Click here to learn about the auto discovery of policies for KubeArmor.

Questions / Suggestions?

Please join
Kubearmor Slack channel
or the community on

to provide feedback on Kubearmor.

Now you can protect your workloads in minutes using
AccuKnox, it is available to protect your Kubernetes and other cloud workloads using
Kernel Native Primitives such as AppArmor, SELinux, and eBPF.

Let us know if you are seeking additional guidance in planning your
cloud security program.

Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions