KubeArmor: Container-aware Runtime Security Enforcement System

How To Install KubeArmor?

Key Features

Restrict the behavior of containers at the system level

KubeArmor provides the ability to filter process executions, file accesses, networking operations, and resource utilization inside containers at the system level.

Enforce security policies to containers in runtime

KubeArmor directly enforces security policies into Linux Security Modules (LSMs) for each container based on the identities (e.g., labels) of given containers and security policies.

Provide effortless semantics for policy definitions

KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions.

Produce container-aware alert logs against policy violations.

KubeArmor produces alert logs for policy violations that happen in containers by monitoring the operations of containers' processes using its eBPF-based system monitor.

Support network security enforcement among containers

KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers.

Provide Kubernetes-native security enforcement engine

KubeArmor allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes.

Sample Policies

apiVersion: security.accuknox.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-wordpress-config-block
  namespace: wordpress-mysql"
spec:
  severity: 10
  selector:
    matchLabels:
    app: wordpress

file:
  matchPaths:
  - path: /var/www/html/wp-config.php
  group: alice
    fromSource:
    - path: /usr/sbin/apache2
apiVersion: security.accuknox.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-wordpress-config-block
  namespace: wordpress-mysql"
spec:
  severity: 3
  selector:
    matchLabels:
    app: wordpress

process:
  matchPaths:
  - path: /usr/bin/apt
  - path: /usr/bin/apt-get
action: Block

apiVersion: security.accuknox.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-mysql-dir-audit
  namespace: wordpress-mysql"
spec:
  severity: 5
  selector:
    matchLabels:
    app: mysql

file:
  matchDirectories:
  - dir: /var/lib/mysql/p
    recursive: true
action: Audit


apiVersion: security.accuknox.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-wordpress-sa-block
  namespace: wordpress-mysql"
spec:
  severity: 8
  tags: ["MITRE"]
  message: "block the k8s credential access"
  selector:
    matchLabels:
    app: wordpress

file:
  matchDirectories:
  - dir : /run/secrets/kubernetes.io/serviceaccount/
    recursive: true
action: Block

Getting Started

Documentation
Training
Slack
Blog
Github

An Introduction to Kubernetes Security using KubeArmor

The perimeter is porous.. identity is the new perimeter. The last few years has seen a tectonic shift in the velocity and sophistication of software development and

Security Policy Deployment in multiUbuntu with KubeArmor

Data is new oil Don’t let it become your Plutonium, Welcome to Zero Trust Data Security! I presume you were shocked by Amazon’s fine of $888M

Delivering Zero Trust in a DevSecOps model

Several recent events have made Zero Trust security a mandate for companies, governments, and non-profits.

Get started with Accuknox

Security built for Enterprise

Copyright © 2021. Accuknox