KubeArmor: Container-aware Runtime Security Enforcement System

Key Features

Restrict the behavior of containers at the system level

KubeArmor provides the ability to filter process executions, file accesses, networking operations, and resource utilization inside containers at the system level.

Enforce security policies to containers in runtime

KubeArmor directly enforces security policies into Linux Security Modules (LSMs) for each container based on the identities (e.g., labels) of given containers and security policies.

Produce container-aware alert logs against policy violations.

KubeArmor produces alert logs for policy violations that happen in containers by monitoring the operations of containers' processes using its eBPF-based system monitor.

Provide effortless semantics for policy definitions

KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions.

Support network security enforcement among containers

KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers.

Provide Kubernetes-native security enforcement engine

KubeArmor allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes.

Blog

Introduction to Linux Security Modules (LSMs)

LSM hooks in Linux Kernel mediates access to internal kernel objects such as inodes, tasks, files, devices and IPC. LSMs, in general, refer to these generic hooks added in the core kernel code. Further, Security modules could make use of these generic hooks to implement enhanced access control as independent kernel modules. AppArmor, SELinux, Smack, TOMOYO are examples of such independent kernel security modules.

Videos

Sample Policies

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-config-block

namespace: wordpress-mysql

spec:

severity: 10

selector:

matchLabels:

app: wordpress

file:

matchPaths:

- path: /var/www/html/wp-config.php

fromSource:

- path: /usr/sbin/apache2

action: Allow

- path: /var/www/html/wp-config.php

action: Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-mysql-dir-audit

namespace: wordpress-mysql

spec:

severity: 5

selector:

matchLabels:

app: mysql

file:

matchDirectories:

- dir: /var/lib/mysql/

recursive: true

action: Audit

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-process-block

namespace: wordpress-mysql

spec:

severity: 3

selector:

matchLabels:

app: wordpress

process:

matchPaths:

- path: /usr/bin/apt

- path: /usr/bin/apt-get

action: Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-sa-block

namespace: wordpress-mysql

spec:

severity: 8

tags: ["MITRE"]

message: "block the k8s credential access"

selector:

matchLabels:

app: wordpress

file:

matchDirectories:

- dir : /run/secrets/kubernetes.io/serviceaccount/

recursive: true

action: Block

Roadmap

KubeArmor is licensed under the Apache License, Version 2.0.
The eBPF-based container monitor is licensed under the General Public License, Version 2.0.