Runtime protection for Kubernetes & other cloud Workloads

KubeArmor uses eBPF and Linux Security Modules (LSM) to provide policy based system
to restrict any unwanted, malicious behavior of cloud-native workloads at runtime.

How to install KubeArmor

Key Features

Restrict the behavior of containers and other workloads

KubeArmor provides the ability to restrict specific behavior of process executions, file accesses, networking operations, and resource utilization inside of your workload. level.

Enforce security policies at runtime

KubeArmor directly enforces security policies using Linux Security Modules (LSMs) for each workload based on the identities (e.g., labels) of given containers or workloads.

Generate logs when policy violations occur

KubeArmor produces alert logs for policy violations by monitoring the operations of containers' processes using its eBPF-based monitor.

Provide effortless semantics for policy definitions

KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions.

Support network security enforcement among containers

KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers.

Provide Kubernetes-native security enforcement engine

KubeArmor allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes.

Blogs

An Introduction to Kubernetes Security using KubeArmor

LSM hooks in Linux Kernel mediates access to internal

Read More
Security Policy Depolyment in multiUbuntu with KubeArmor

KubeArmor, a container-aware runtime security enforcement system

Read More
What is KubeArmor and how does it compare with Falco, and Tracee?

In recent times organizations are migrating from on-premise to cloud,

Read More

Sample Policies

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-config-block

namespace: wordpress-mysql

spec:

severity: 10

selector:

matchLabels:

app: wordpress

file:

matchPaths:

- path: /var/www/html/wp-config.php

fromSource:

- path: /usr/sbin/apache2

action: Allow

- path: /var/www/html/wp-config.php

action: Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-mysql-dir-audit

namespace: wordpress-mysql

spec:

severity: 5

selector:

matchLabels:

app: mysql

file:

matchDirectories:

- dir: /var/lib/mysql/

recursive: true

action: Audit

apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-process-block

namespace: wordpress-mysql

spec:

severity: 3

selector:

matchLabels:

app: wordpress

process:

matchPaths:

- path: /usr/bin/apt

- path: /usr/bin/apt-get

action: Block


apiVersion: security.accuknox.com/v1

kind: KubeArmorPolicy

metadata:

name: ksp-wordpress-sa-block

namespace: wordpress-mysql

spec:

severity: 8

tags: ["MITRE"]

message: "block the k8s credential access"

selector:

matchLabels:

app: wordpress

file:

matchDirectories:

- dir : /run/secrets/kubernetes.io/serviceaccount/

recursive: true

action: Block

Roadmap

KubeArmor is licensed under the Apache License, Version 2.0.
The eBPF-based container monitor is licensed under the General Public License, Version 2.0.