- Please check Support matrix for KubeArmor.
- Use
karmor probeto check if the platform is supported.
If the path in your process rule is not an absolute path but a symlink, policy enforcement won't work. This is because KubeArmor sees the actual executable path in events received from kernel space and is not aware about symlinks.
Policy enforcement on symbolic links like /usr/bin/python doesn't work and one has to specify the path of the actual executable that they link to.
Check karmor probe output and check whether Container Security is false. If it is false, the KubeArmor enforcement is not supported on that platform. You should check the KubeArmor Support Matrix and if the platform is not listed there then raise a new issue or connect to kubearmor community of slack.
If you are applying an Allow-based policies and expecting unknown actions to be blocked, please make sure to check the default security posture. The default security posture is set to Audit by default since KubeArmor v0.7.
Native k8s supports specifying a security context for the pod or container. It requires one to specify native AppArmor, SELinux, seccomp policies. But there are a few problems with this approach:
- All the OS distributions do not support the LSMs consistently. For e.g, GKE COS supports AppArmor while Bottlerocket supports SELinux and BPF-LSM.
- The Pod Security Context expect the security profile to be specified in its native language, for instance, AppArmor profile for AppArmor. SELinux profile if SELinux is to be used. The profile language is extremely complex and this complexity could backfire i.e, it could lead to security holes.
- Security Profile updates are manual and difficult: When an app is updated, the security posture might change and it becomes difficult to manually update the native rules.
- No alerting of LSM violation on managed cloud platforms: By default LSMs send logs to kernel auditd, which is not available on most managed cloud platforms.
KubeArmor solves all the above mentioned problems.
- It maps YAML rules to LSMs (apparmor, bpf-lsm) rules so prior knowledge of different security context (native AppArmor, SELinux) is not required.
- It's easy to deploy: KubeArmor is deployed as a daemonset. Even when the application is updated, the enforcement rules are automatically applied.
- Consistent Alerting: KubeArmor handles kernel events and maps k8s metadata using ebpf.
- KubeArmor also runs in systemd mode so can directly run and protect Virtual Machines or Bare-metal machines too.
- Pod Security Context cannot leverage BPF-LSM at all today. BPF-LSM provides more programmatic control over the policy rules.
- Pod Security Context do not manage abstractions. As an example, you might have two nodes with Ubuntu, two nodes with Bottlerocket. Ubuntu, by default has AppArmor and Bottlerocket has BPF-LSM and SELinux. KubeArmor internally picks the right primitives to use for enforcement and the user do not have to bother explicitly stating what to use.
KubeArmor, apart from been a policy enforcement engine also emits pod/container visibility data. It uses an eBPF-based system monitor which keeps track of process life cycles in containers and even nodes, and converts system metadata to container/node identities. This information can then be used for observability use-cases.
Sample output karmor logs --json:
{
"Timestamp": 1639803960,
"UpdatedTime": "2021-12-18T05:06:00.077564Z",
"ClusterName": "Default",
"HostName": "pandora",
"HostPID": 3390423,
"PPID": 168556,
"PID": 3390423,
"UID": 1000,
"PolicyName": "hsp-kubearmor-dev-proc-path-block",
"Severity": "1",
"Type": "MatchedHostPolicy",
"Source": "zsh",
"Operation": "Process",
"Resource": "/usr/bin/sleep",
"Data": "syscall=SYS_EXECVE",
"Action": "Block",
"Result": "Permission denied"
}Here the log implies that the process /usr/bin/sleep execution by 'zsh' was denied on the Host using a block based host policy.
The logs are also exportable in OpenTelemetry format.
There are a couple of community maintained dashboards available at kubearmor/kubearmor-dashboards.
If you don't find an existing dashboard particular to your needs, feel free to create an issue. It would be really great if you could also contribute one!
karmor logs internally uses Kubernetes' client's port-forward. Port forward is not meant for long running connection and it times out if left idle. Checkout this StackOverflow answer for more info.
If you want to stream logs reliably there are a couple of solutions you can try:
- Modiy the
kubearmorservice inkubearmornamespace and change the service type toNodePort. Then run karmor with:
karmor logs --gRPC=<address of the kubearmor node-port service>This will create a direct, more reliable connection with the service, without any internal port-forward.
- If you want to stream logs to external tools (fluentd/splunk/ELK etc) checkout Streaming KubeArmor events.
The community has created adapters and dashboards for some of these tools which can be used out of the box or as reference for creating new adapters. Checkout the previous question for more information.
Following command can be used to to get pod specific events:
karmor log --pod <pod_name>
karmor log has following filter to provide more granularity:
--container - Specify container name for container specific logs
--logFilter <system|policy|all> - Filter to either receive system logs or alerts on policy violation
--logType <ContainerLog|HostLog> - Source of logs - ContainerLog: logs from containers or HostLog: logs from the host
--namespace - Specify the namespace for the running pods
--operation <Process|File|Network> - Type of logs based on process, file or network
Kubernetes admission controllers are set of extensions that acts as a gatekeeper and help govern and control Kubernetes clusters. They intercept requests to the Kubernetes API server prior to the persistence of the object into etcd.
They can manage deployments requesting too many resources, enforce pod security policies, prevent vulnerable images from being deployed and check if the pod is running in privileged mode.
But all these checks are done before the pods are started. Admission controllers doesn't guarantee any protection once the vulnerability is inside the cluster.
KuberArmor protects the pods from within. It runs as a daemonset and restricts the behavior of containers at the system level. KubeArmor allows one to define security policies for the assets/resources (such as files, processes, volumes etc) within the pod/container, select those based on K8s metadata and simply apply these security policies at runtime.
It also detects any policy violations and generates audit logs with container identities. Apart from containers, KuberArmor also allows protecting the Host itself.
KubeArmor defines 3 policy actions: Allow, Block and Audit.
Allow: A whitelist policy or a policy defined with Allow action allows only the operations defined in the policy, rest everything is blocked/audited.
Block: Policy defined with Block action blocks all the operations defined in the policy.
Audit: An applied Audit policy doesn't block any action but instead provides alerts on policy violation. This type of policy can be used for "dry-run" before safely applying a security policy in production.
If Block policy is used and there are no supported enforcement mechanism on the platform then the policy enforcement wouldn't be observed. But we will still be able to see the observability data for the applied Block policy, which can help us in identifying any suspicious activity.
KubeArmor supports enforcement on OKE leveraging the BPF-LSM. The default kernel for Oracle Linux 8.6 (OL 8.6) is UEK R6 kernel-uek-5.4.17-2136.307.3 which does not support BPF-LSM.
Unbreakable Enterprise Kernel Release 7 (UEK R7) is based on Linux kernel 5.15 LTS that supports BPF-LSM and it's available for Oracle Linux 8 Update 5 onwards.
UEK R7 can be installed on OL 8.6 by following the easy-to-follow instructions provided here in this Oracle Blog Post.
Note: After upgrading to the UEK R7 you may required to enable BPF-LSM if it's not enabled by default.
We check for BPF LSM Support in Kernel Config
cat /boot/config-$(uname -r) | grep -e "BPF" -e "BTF"Following flags need to exist and set to y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_BPF_LSM=y
CONFIG_DEBUG_INFO=y
CONFIG_DEBUG_INFO_BTF=yNote: These config could be in other places too like /boot/config, /usr/src/linux-headers-$(uname -r)/.config, /lib/modules/$(uname -r)/config, /proc/config.gz.
-
check if bpf is enabled by verifying if it is in the active lsms.
$ cat /sys/kernel/security/lsm capability,yama,selinux,bpf
as we can see here
bpfis in active lsms
-
Open the
/etc/default/grubfile in privileged mode.sudo vi /etc/default/grub
-
Append the following to the
GRUB_CMDLINE_LINUXvariable and save.GRUB_CMDLINE_LINUX="lsm=lockdown,capability,yama,apparmor,bpf" -
Update grub config:
# On Debian like systems sudo update-grubOR
# On RHEL like systems sudo grub2-mkconfig -o /boot/grub2.cfg -
Reboot into your kernel.
sudo reboot
There is some problem with AppArmor due to which ICMP rules don't work as expected.
The KubeArmor team has brought this to the attention of the AppArmor community on StackOverflow and await their response.
In the same environment we've found that ICMP rules with BPFLSM work as expected.
For more such differences checkout Enforce Feature Parity Wiki.
By default the host policies and visibility is disabled for k8s hosts.
If you use following command, kubectl logs -n kubearmor <KUBEARMOR-POD> | grep "Started to protect"
you will see, 2023-08-21 12:58:34.641665 INFO Started to protect containers.
This indicates that only container/pod protection is enabled.
If you have hostpolicy enabled you should see something like this, 2023-08-22 18:07:43.335232 INFO Started to protect a host and containers
One can enable the host policy by patching the daemonset (kubectl edit daemonsets.apps -n kubearmor kubearmor):
...
template:
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/kubearmor: unconfined
creationTimestamp: null
labels:
kubearmor-app: kubearmor
spec:
containers:
- args:
- -gRPC=32767
+ - -enableKubeArmorHostPolicy
+ - -hostVisibility=process,file,network,capabilities
env:
- name: KUBEARMOR_NODENAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
...This will enable the KubeArmorHostPolicy and host based visibility for the k8s worker nodes.
KubeArmor works out of the box with Kind clusters supporting BPF-LSM. However, with AppArmor only mode, Kind cluster needs additional provisional steps. You can check if BPF-LSM is supported/enabled on your host (on which the kind cluster is to be deployed) by using following:
cat /sys/kernel/security/lsm
- If it has
bpfin the list, then everything should work out of the box - If it has
apparmorin the list, then follow the steps mentioned in this FAQ.
cat <<EOF | kind create cluster --config -
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- extraMounts:
- hostPath: /sys/kernel/security
containerPath: /sys/kernel/security
EOFdocker exec -it kind-control-plane bash -c "apt update && apt install apparmor-utils -y && systemctl restart containerd"After this, exit out of the node shell and follow the getting-started guide.
If the kubearmor-relay pod goes into CrashLoopBackOff, apply the following patch:
kubectl patch deploy -n $(kubectl get deploy -l kubearmor-app=kubearmor-relay -A -o custom-columns=:'{.metadata.namespace}',:'{.metadata.name}') --type=json -p='[{"op": "add", "path": "/spec/template/metadata/annotations/container.apparmor.security.beta.kubernetes.io~1kubearmor-relay-server", "value": "unconfined"}]'