why use annotation? kubearmor-policy: enabled #282
-
|
Curious to understand why is this annotation needed? Using an annotation for policy enforcement could be a security hole. Also on what basis is this annotation set? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
By default, KubeArmor enforces security policies into pods (no need for "kubearmor-policy: enabled"). Then, why is "kubearmor-policy: enabled" defined in the annotations? If "enableEnforcerPerPod" is set, KubeArmor works as the audit mode by default. However, if a pod has the "kubearmor-policy: enabled" annotation, In conclusion, "kubearmor-policy: {enabled | audited | disabled}" provides an operator more flexibility. |
Beta Was this translation helpful? Give feedback.
By default, KubeArmor enforces security policies into pods (no need for "kubearmor-policy: enabled").
Then, why is "kubearmor-policy: enabled" defined in the annotations?
This is for the case that "enableEnforcerPerPod" is set.
If "enableEnforcerPerPod" is set, KubeArmor works as the audit mode by default.
It means that "kubearmor-policy: audited" is automatically added for all pods.
However, if a pod has the "kubearmor-policy: enabled" annotation,
KubeArmor specifically enforces security policies into the pod.
In conclusion, "kubearmor-policy: {enabled | audited | disabled}" provides an operator more flexibility.
In particular, this can be used for testing KubeArmor before the actual dep…