KubeArmor: Container-aware Runtime Security Enforcement System
How To Install KubeArmor?
Key Features
KubeArmor provides the ability to filter process executions, file accesses, networking operations, and resource utilization inside containers at the system level.
KubeArmor directly enforces security policies into Linux Security Modules (LSMs) for each container based on the identities (e.g., labels) of given containers and security policies.
KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions.
KubeArmor produces alert logs for policy violations that happen in containers by monitoring the operations of containers' processes using its eBPF-based system monitor.
KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers.
KubeArmor allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes.
Sample Policies
kind: KubeArmorPolicy
metadata:
name: ksp-wordpress-config-block
namespace: wordpress-mysql"
spec:
severity: 10
selector:
matchLabels:
app: wordpress
file:
matchPaths:
- path: /var/www/html/wp-config.php
group: alice
fromSource:
- path: /usr/sbin/apache2
kind: KubeArmorPolicy
metadata:
name: ksp-wordpress-config-block
namespace: wordpress-mysql"
spec:
severity: 3
selector:
matchLabels:
app: wordpress
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get
action: Block
kind: KubeArmorPolicy
metadata:
name: ksp-mysql-dir-audit
namespace: wordpress-mysql"
spec:
severity: 5
selector:
matchLabels:
app: mysql
file:
matchDirectories:
- dir: /var/lib/mysql/p
recursive: true
action: Audit
kind: KubeArmorPolicy
metadata:
name: ksp-wordpress-sa-block
namespace: wordpress-mysql"
spec:
severity: 8
tags: ["MITRE"]
message: "block the k8s credential access"
selector:
matchLabels:
app: wordpress
file:
matchDirectories:
- dir : /run/secrets/kubernetes.io/serviceaccount/
recursive: true
action: Block
