KubeArmor
Search…
Introduction to KubeArmor

What is KubeArmor?

KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
The problem that KubeArmor solves is that it can prevent cloud workloads from executing malicious activity at runtime. Malicious activity can be any activity that the workload was not design for, or is not supposed to do.
Given a policy, KubeArmor can restrict the following types of behavior on your cloud workloads:
  • File access - allow / deny specific paths
  • Allow / deny Process execution / forking
  • Allow / Deny Establish network connections
  • Allow / Deny workloads to request other capabilities. Such capabilities that can enable additional types of malicious behavior.
Kubearmor works by using a yaml policy that defines what the workload can do, and then by restricting the behavior (such as process execution, file access, and networking operation) of containers and nodes at runtime.

How does KubeArmor work?

KubeArmor uses Linux security modules (LSMs) and eBPF. It can work on any Linux platforms (such as Alpine, Ubuntu, and Container-optimized OS from Google) as long as Linux security modules (e.g., AppArmor, SELinux, or KRSI) are enabled in the Linux Kernel.
eBPF is used for syscall monitoring.
KubeArmor will automatically use the appropriate LSMs to enforce the required policies.
For example in the below policy
1
apiVersion: security.kubearmor.com/v1
2
kind: KubeArmorPolicy
3
metadata:
4
name: limit-access-to-database-files
5
spec:
6
selector:
7
matchLabels:
8
app: microservice-1
9
file:
10
severity: 5
11
matchPaths:
12
- path: /etc/mysql/my.cnf
13
ownerOnly: true
14
- path: /etc/mysql/data
15
ownerOnly: true
16
action: Block
Copied!
In the above policy - we are preventing the microservice-1 from accessing any the mysql conf file (/etc/mysql/my.cnf), or data file path (/etc/mysql/data).
What kind of workloads can KubeArmor Protect?
KubeArmor provides first class support for Kubernetes workloads.
With KubeArmor, one can define security policies and apply them to their cloud workloads running in Kubernetes. With deep integration into Kubernetes, KubeArmor can automatically detect a change available pods and can automatically apply policies on them.
If there are any violations against security policies, KubeArmor immediately generates alerts with container identities. Logs and metrics from KubeArmor can be forwarded to a log storage / processing platform (like Elastic) or a time series db respectively.
Support for Virtual Machines
Support for Virtual Machine based workloads is being added at this moment of time.

Notice/Credits

Last modified 1mo ago
Export as PDF
Copy link