Security Policy Examples for Hosts

Search…

Here, we demonstrate how to define host security policies.
Process Execution Restriction
Block a specific executable (hsp-kubearmor-dev-proc-path-block.yaml)
1
apiVersion: security.kubearmor.com/v1
2
kind: KubeArmorHostPolicy
3
metadata:
4
  name: hsp-kubearmor-dev-proc-path-block
5
spec:
6
  nodeSelector:
7
    matchLabels:
8
      kubernetes.io/hostname: kubearmor-dev
9
  process:
10
    matchPaths:
11
    - path: /usr/bin/sleep # try sleep 1
12
  action:
13
    Block
Copied!
Explanation: The purpose of this policy is to block the execution of '/bin/sleep' in a host whose host name is 'kubearmor-dev'. For this, we define 'kubernetes.io/hostname: kubearmor-dev' in nodeSelector -> matchLabels and the specific path ('/bin/sleep') in process -> matchPaths. Also, we put 'Block' as the action of this policy.
Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run '/bin/sleep'. You will see that /bin/sleep is blocked.
File Access Restriction
Audit a critical file access (hsp-kubearmor-dev-file-path-audit.yaml)
1
apiVersion: security.kubearmor.com/v1
2
kind: KubeArmorHostPolicy
3
metadata:
4
  name: hsp-kubearmor-dev-file-path-audit
5
spec:
6
  nodeSelector:
7
    matchLabels:
8
      kubernetes.io/hostname: kubearmor-dev
9
  file:
10
    matchPaths:
11
    - path: /etc/shadow # cat /etc/shadow
12
  action:
13
    Audit
Copied!
Explanation: The purpose of this policy is to audit any file accesses to a critical file (i.e., '/etc/shadow'). Since we want to audit one critical file, we use matchPaths to specify the path of '/etc/shadow'.
Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run 'sudo cat /etc/shadow'. Then, check the alert logs of KubeArmor.

Getting Started - Previous

Security Policy Specification for Hosts

Next - Getting Started

Consideration in Policy Action

Last modified 1mo ago

Export as PDF

Copy link