KubeArmor is a container-aware runtime security enforcement system

KubeArmor is a container-aware runtime security enforcement system that restricts the behavior (such as process execution, file access, networking operation, and resource utilization) of containers at the system level.

Key Features

Support network security enforcement among containers

KubeArmor aims to protect containers themselves rather than interactions among containers.

Provide easy-to-use semantics for policy definitions

KubeArmor provides the ability to monitor the life cycles of containers' processes and take policy decisions based on them.

Enforce security policies to containers in runtime

KubeArmor maintains security policies separately, which means that security policies are no longer tightly coupled

Effortless semantics for policy definitions

KubeArmor provides the ability to monitor the life cycles of containers' processes and take policy decisions based on them.

Enforce security policies to containers in runtime

KubeArmor maintains security policies separately, which means that security policies are no longer tightly coupled

Provide k8s-native engine

K8s-operator for system-wide security policies . Linux Security Modules (LSMs) for policy enforcement

Videos

Blog

Introduction to LSM (Linux Security Modules)

LSM hooks in Linux Kernel mediates access to internal kernel objects such as inodes, tasks, files, devices and IPC. LSMs, in general, refer to these generic hooks added in the core kernel code. Further, Security modules could make use of these generic hooks to implement enhanced access control as independent kernel modules. AppArmor, SELinux, Smack, TOMOYO are examples of such independent kernel security modules.

KubeArmor Demo Policies

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-config-block

namespace: wordpress-mysql

spec:

severity: 10

selector:

matchLabels:

app: wordpress

file:

matchPaths:

- path: /var/www/html/wp-config.php

fromSource:

path: /bin/cat

# cd /var/www/html

# cat wp-config.php

action:

Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-mysql-dir-audit

namespace: wordpress-mysql

spec:

selector:

matchLabels:

app: mysql

file:

matchDirectories:

- dir: /var/lib/mysql/

recursive: true

action:

Audit

severity: 1

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-process-block

namespace: wordpress-mysql

spec:

severity: 3

selector:

matchLabels:

app: wordpress

Process:

matchPaths:

- path: /usr/bin/apt

- path: /usr/bin/apt-get

action:

Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-sa-block

namespace: wordpress-mysql

spec:

severity: 7

selector:

matchLabels:

app: wordpress

file:

matchDirectories:

- dir : /run/secrets/kubernetes.io/serviceaccount/

recursive: true

# cat /run/secrets/kubernetes.io/serviceaccount/token

# curl https://$KUBERNETES_PORT_443_TCP_ADDR/api --insecure --header \

"Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)"

action:

Block

Lateral Movement

Credential Access

Excecution

Access Cloud Resources

App Credentials in config files

bash/cmd inside container

App Credentials in config files

Access Container service account

Roadmap

KubeArmor is licensed under the Apache License, Version 2.0.
The eBPF-based container monitor is licensed under the General Public License, Version 2.0.