ARM support for KubeArmor
Why was the ARM support considered?
KubeArmor is increasingly deployed in near-edge and far-edge scenarios for enhancing security for IoT/Edge aspects. KubeArmor has added support to handle the characteristics of edge scenarios such as:
- Support for heterogeneous platforms (most of the edge is deployed on ARM, Intel). KubeArmor ensures that the same policy enforcement techniques are delivered across different Linux kernel versions. It does this by abstracting the policy layer from the enforcement layer and the enforcement layer uses the techniques that are available in the context of the deployed worker node.
- Edge devices are constrained in terms of CPU and memory availability. The overall resource usage on KubeArmor has been drastically reduced. This has not only helped edge scenarios but cloud-based deployments as well.
- KubeArmor supports the philosophy of “Do not assume always-on connectivity with the cloud platform”.
Recently KubeArmor finished its integration with LF Edge Open Horizon. KubeArmor is also now listed on Intel SmartEdge Marketplace. LF Edge Open Horizon and Intel® Smart Edge are edge computing platforms for deploying edge networks and delivering multi-access edge computing (MEC) for applications, containers, k8s, and virtual machines.
Which ARM platforms were tested?
- Raspberry Pi (RPi) – Both as a systemd service and on k8s
- Azure ARM VM
- Apple Macbook M1 laptops
Network Policy & Microsegmentation support using KubeArmor
In Kubernetes, the network policy resource is a set of network traffic rules that are applied to a group of pods in a Kubernetes cluster. The network policy specifies how a pod is allowed to communicate with others. Network policy controllers (running as pods in the Kubernetes cluster) convert the requirements and restrictions of the network policies that are retrieved from the Kubernetes API into the network infrastructure.
KubeArmor has visibility into the network connections made into or from the pods. It has visibility across socket(), bind(), connect(), accept() calls. KubeArmor along with the discovery-engine could now auto-generate kubernetes network policy which are enforceable using most of the k8s CNIs (Container Network Interface). Note that the discovered policies use k8s abstractions for identifying services, deployments, and pods such as k8s labels, and namespaces.
This release allows kubearmor and discovery-engine to do automatic network micro-segmentation by detecting the network connections and creating appropriate network policies based on it. These auto-generated network policies are enforceable using any CNI that supports k8s network policy namely, Cilium, Calico, AWS VPC CNI, and Weave.
Container based policy support
KubeArmor currently applies policy at the pod level i.e. in the KubeArmorPolicy you specify the selector labels which selects a set of pods across the cluster. However, a single pod may contain multiple containers and each container usually has a very different purpose and the set of binaries or file paths may vary across multiple containers within the pod.
This release adds support to apply the policies at specific container level by extending the selector label policy construct. Following is an instantiation of this construct:
kind: KubeArmorPolicy
metadata:
name: block-ls-at-container-1
namespace: wordpress-mysql
spec:
severity: 2
selector:
matchLabels:
app: wordpress
kubearmor.io/container.name: “[container-1]”
process:
matchPaths:
– path: /bin/ls
action:
Block
Note the use of kubearmor.io/container.name: “[container-1]” construct as part of the selector labels that allows KubeArmor to select specific container(s) within the pod.
Need for this support
The file system paths and binaries present in different containers might be completely different. Without this feature, the block of a process operation in one container would also be blocked in other containers. The discovery-engine automatically discovers the security posture of the k8s application discovers what operations should be allowed. These operations are container specific and should be restricted to specific containers. Thus without the ability to specify container specific rules, there are chances that either the security posture is too generic (in the case of allow based policies) or too restrictive (in the case of block based policies).
Backward compatibility
Specifying container specific labels are optional i.e., if the container information is not specified then the previous way of applying the policies at pod level is retained.
Using un-privileged container for KubeArmor daemonset (as a part of LFX Mentorship)
KubeArmor is a security policy engine and it needs to be ensured that the engine itself follows all the right security practices. Privileged containers are usually frowned upon. Almost every static scanning engine will flag this as an issue. In lot of cases, organizations deploy admission controllers that would not allow containers to be installed in privileged mode.
This release achieves following in the context:
- Removes the use of privilege: true flag in the context of kubearmor and associated accessory pods.
- Enables individual capabilities in place of enabling all capabilities for the KubeArmor containers.
- Allows KubeArmor to be installed in non-kube-system namespace.
Kudos to Anurag Kumar who achieved this as part LFX Mentorship Project.
Workload behavior summary with KubeArmor and Discovery Engine
KubeArmor can observe system events at different dimensions including, Process, File, and Network events. Discovery Engine connects to KubeArmor and does aggregation of this information over a time period to provide app behavior summary. The use-cases for this summary view are:
- User can view what are the different process getting spawned in the given workload. Workload could be filtered based on namespace, labels etc.
- User can view what file system paths are accessed. For e.g., user can check which processes within the workload are accessing service account token.
- User can check what network connections are handled by the workload. Note that the ingress/egress connections are pinned down to the final process which handles it.
❯ karmor summary -n wordpress-mysql -l app=wordpress --agg local port to be used for port forwarding knoxautopolicy-8587dfd464-28dpq: 9089 Pod Name wordpress-bf95888cb-rkcwm Namespace Name wordpress-mysql Cluster Name default Container Name wordpress Labels app=wordpress
Policy Recommendations and Reports
KubeArmor already had a community driven curated list of System and Network policy templates at policy-template repository. With the templates, it was upto the user to change values like namespace labels etc to make sure that the policies are actually enforcing on their cluster.
With the new karmor recommend it is made sure that the user doesn’t have to change anything on the policy but rather simply apply them to get a secure environment for the Kubernetes deployments.
karmor recommend recommends policies based on container image, k8s manifest or the actual runtime environment itself.
Usage:karmor recommend [flags]karmor recommend [command]
Available Commands:update Updates policy-template cache
Flags:-c,
Global Flags:
Use “karmor recommend [command] –help”
Bug fixes and improvements
- Ability to specific LSM order (#788). On certain platforms it is possible that multiple LSMs are available for enforcing a policy. For e.g., in case of Google COS (Container Optimized OS), both AppArmor and BPF-LSM are available. By default, KubeArmor chooses BPF-LSM if available, but with this change it is possible to specify the LSM order that could be used for policy enforcement.
- Support for readOnly flag with BPF-LSM (#962)
- Fix AppArmor policies behavior (#954)
- Discovery engine fixes
- Relative path are not shown anymore
- Improved
karmor summaryoutput - Improved discovered policies rules to include all necessary paths
