KubeArmor: 1 Year Anniversary - Past, Present, and Future

KubeArmor provides runtime protection for Kubernetes and other cloud-native workloads. It is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operation) of containers and nodes at the system level. It also delivers observability and policy enforcement systems for restricting any and all unwanted and malicious behaviors of workloads at runtime.

KubeArmor – the “Eureka” moment!

Back in 2020, my colleague Rahul Jadhav and industry-renowned Linux Kernel guru, Suchakra were exploring solutions for cloud-native security. With Solarwinds and Log4J attacks, the volume and velocity of zero-day attacks were skyrocketing, and it was a topical subject.

While researching and testing various compliance frameworks and tools, Rahul and Suchakra were inspired by the MITRE ATT&CK Matrix, and its foundational capabilities for the development of specific threat models and methodologies.

Inspired by MITRE TTPs, with a vision and mission to contribute to a significant impact in the cybersecurity defense of cloud-native workloads, the duo decided to build a durable solution to the underlying problem of cloud-native workload security. They had a proven record of Opensource contributions in the past years, Rahul and Suchakra decided to open-source KubeArmor. The Security industry is very reticent to embracing products that claim to deliver “security by obscurity”. Hence, rather than re-invent the wheel or develop some newfangled security technology only to see that hackers have found a way around it, Rahul and Suchakra decided to leverage prominent Linux Security Modules (LSMs) (such as AppArmor, SELinux, or BPF-LSM) to enforce the user-specified policies.

Later in 2020, 2 of my colleagues, brilliant freshly minted PhDs, Kernel Engineers, Jaehyun Nam, and Seungsoo Lee joined the technical crew for the initial v0.1 development of the open-source-led KubeArmor. Robert Ficcaglia and Mats Nählinder, are 2 very well-recognized Silicon Valley security professionals. They took an interest in KubeArmor and Robert introduced KubeArmor to the CNCF community.

We have been thrilled and validated to see the achievements of KubeArmor Opensource traction over this past year (2021-2022), as KubeArmor became one of the most popular Kubernetes security tools in the ecosystem, with:

• ⭐ 440+ Stargazers on Github
• 🚀 160,000+ KubeArmor downloads from GitHub
• 🤝 60+ Contributors (3x growth since May 2021)

KubeArmor’s Milestones 2021–2022

How does AccuKnox leverage the KubeArmor Engine?

AccuKnox, built on KubeArmor Opensource, is a Zero Trust Cloud Native Application Protection Platform (CNAPP) delivered in a Shift Left, DevSecOps fashion. From development to runtime, AccuKnox simplifies:

• Providing deep security observability into application behavior – as the adage “you cannot secure what you don’t see” goes
• Hardening Kubernetes containers
• Application firewalling, micro-segmentation
• Automating zero-trust policy management
• Anomaly detection and continuous compliance

AccuKnox is committed to leveraging the best-in-class open-source platforms like KubeArmor and Cilium and contributing to the open source community, enabling the end customers to leverage the power and visibility to implement Zero Trust policies.

CNCF Adopts KubeArmor as a sandbox project

CNCF Adopts KubeArmor as a sandbox projectKubeArmor was accepted to CNCF on November 15, 2021, and is currently at the Sandbox project maturity level.

Visit KubeArmor's feature on CNCF’s official website here.

KubeArmor: Present & Future Roadmap

Present – it is inspiring to see how KubeArmor has evolved from a simple tool to now providing extensive multi-cloud and operating system support. The latest release of KubeArmor v0.6 has support for GKE, AKS, EKS, Openshift, and Rancher.

Additionally, KubeArmor can now support IoT Edge workloads and AWS BottleRocket.

 

Roadmap – Since 5G networks are quickly emerging, monitoring should extend across all layers of the 5G network. For the prevention of potential unknown 5G attacks, KubeArmor plans on supporting its coverage on 5G network layers as well.

AccuKnox will work with SRI International on the Prestigious National Science Foundation (NSF) 5G Security Research Award. Learn more here.

 

We have been invited to join the 5G Open Innovation Lab, here is a link to the announcement.

The above real-time KubeArmor Dashboard (containing forks, stargazers, and PRs) can be accessed here.

Summary

KubeArmor is very well established as the proven Zero Trust security platform for Kubernetes workloads in the Cloud and well poised to benefit from Kubernetes adjacencies in the Edge/IoT, Data on Kubernetes (DoK), and 5G. None of KubeArmor’s achievements would have been possible without our amazing community of team members, users, contributors, well-wishers, advocates, and the CNCF community. We are very pleased with the progress we have made in 1 year and are immensely excited about the potential ahead.

Join the KubeArmor Slack channel to communicate with the KubeArmor open-source community.

AccuKnox delivers full Enterprise-ready features and this is depicted below.

Reach out to us and we will be glad to lend you a hand.

Learn more about AccuKnox:

• 🌍Website:  Zero Trust Cloud-Native Application Protection Platform
• 📄Help Docs: Intro - AccuKnox
• 📝Blogs:  Blog