Security Policy deployment in MultiUbuntu with KubeArmor

KubeArmor, a container-aware runtime security enforcement system, developed by Accuknox helps in auditing and blocking any malicious access performed on containers. It not only restricts the behavior of the container at the system level but also blocks access to it and generates audit logs, and automatically sends them to the system. KubeArmor allows operators to define security policies and apply them to Kubernetes. Then, KubeArmor will automatically detect the changes in security policies from Kubernetes and enforce them to the corresponding containers and nodes. If there are any violations against security policies, KubeArmor immediately generates alerts with container identities. If operators have any logging systems, it automatically sends the alerts to their systems as well. To deploy Multiubuntu microservice, the steps are to be followed. These are the sample security policies for multiubuntu deployment. Security policies

Example 1 - Block a process execution:

In this example, the sleep command can be blocked by applying a security policy. Let us see how it works before and after applying the security policy. The picture below shows that the sleep command is working.This is the yaml policy to be applied to block the sleep command.To apply the policy the following command should be given. Here we can see that the kubearmor ksp-group-1-proc-path-block.yaml policy is applied.To check if the sleep command is blocked, Execute sleep command inside the ubuntu-1 pod. Replace the appropriate pod name for ubuntu 1.Here you can see the permission is denied. To check for audit logs, replace KubeArmor in the node where ubuntu-1 is located.

Example 2 - Block file access:

Another example is to block a specific directory and the subdirectories. In this example, the credentials directory contains sensitive information. Here we can access the password text file and can view the username and password.Let us see how to apply a policy and how to block this directory. This is the yaml policy to be applied to block access to sensitive information.To apply the policy the following command should be given. Here we can see that the kubearmor ksp-ubuntu-5-file-dir-recursive-block.yaml policy is applied.To check if the password text file is blocked, Let us try to access Access /credentials/password inside of the ubuntu-5 pod.Here, the permission is denied when we try to view the password text file. To check audit logs, replace KubeArmor in the node where Ubuntu 5 is located.

Setting kubeArmor up on Kubernetes

Prerequisite: We need a working Kubernetes setup for this. We can use a cloud Kubernetes offering GCP or set yourself locally using minikube. If you are using minikube then we also require kubectl. The daemon-set has to be installed as part of the kube-system namespace thus giving it the rights to watch all the system events. Commands to install: Step #1: Deploy kubearmor for GKE: kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/master/deployments/GKE/kubearmor.yaml After a second kubeArmor should be running, to verify, you will see the pods you created in a moment. Before applying the security policy to the container or pod the annotations should be added to the deployment, under the metadata Sample deployment with annotations Here is an example of a security policy which is to block a process execution of the sleep command. When you apply the policy it will block this particular command, we can get the audit logs of that security policy. KubeArmor Security Policy to block sleep command in containers during runtime Find more about this on “Sample deployment of Multiubuntu with KubeArmor”

Conclusion

In this blog, we looked at the basics of Kubernetes security monitoring and how to set up the kubeArmor on Kubernetes which automatically detects the changes in security policies and enforces them on the respective containers without any human intervention, and sends the audit logs to their system admins.