KubeArmor
Search…
KubeArmor
Getting Started
Deployment Guide
Security Policy Specification for Containers
Security Policy Examples for Containers
Security Policy Specification for Nodes/VMs
Security Policy Examples for Nodes/VMs
Contribution
Contribution Guide
Development Guide
Testing Guide
Reference
Kubernetes Installation for Ubuntu
Kubernetes Installation for Fedora
Supported Capability List
Examples
Multiubuntu
Sock-Shop
Wordpress-MySQL
Powered By GitBook
Security Policy Examples for Nodes/VMs
Here, we demonstrate how to define host security policies.
  • Process Execution Restriction
    • Block a specific executable (hsp-kubearmor-dev-proc-path-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorHostPolicy
      3
      metadata:
      4
      name: hsp-kubearmor-dev-proc-path-block
      5
      spec:
      6
      nodeSelector:
      7
      matchLabels:
      8
      kubernetes.io/hostname: kubearmor-dev
      9
      severity: 5
      10
      process:
      11
      matchPaths:
      12
      - path: /usr/bin/diff
      13
      action:
      14
      Block
      Copied!
      • Explanation: The purpose of this policy is to block the execution of '/usr/bin/diff' in a host whose host name is 'kubearmor-dev'. For this, we define 'kubernetes.io/hostname: kubearmor-dev' in nodeSelector -> matchLabels and the specific path ('/usr/bin/diff') in process -> matchPaths. Also, we put 'Block' as the action of this policy.
      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run '/usr/bin/diff'. You will see that /usr/bin/diff is blocked.
      NOTE
      The given policy works with almost every linux distribution. If it is not working in your case, check the process location. The following location shows location of sleep binary in different ubuntu distributions:
      • In case of Ubuntu 20.04 : /usr/bin/sleep
      • In case of Ubuntu 18.04 : /bin/sleep
  • File Access Restriction
    • Audit a critical file access (hsp-kubearmor-dev-file-path-audit.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorHostPolicy
      3
      metadata:
      4
      name: hsp-kubearmor-dev-file-path-audit
      5
      spec:
      6
      nodeSelector:
      7
      matchLabels:
      8
      kubernetes.io/hostname: kubearmor-dev
      9
      severity: 5
      10
      file:
      11
      matchPaths:
      12
      - path: /etc/passwd
      13
      action:
      14
      Audit
      Copied!
      • Explanation: The purpose of this policy is to audit any accesses to a critical file (i.e., '/etc/passwd'). Since we want to audit one critical file, we use matchPaths to specify the path of '/etc/passwd'.
      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run 'sudo cat /etc/passwd'. Then, check the alert logs of KubeArmor.
Getting Started - Previous
Security Policy Specification for Nodes/VMs
Next - Contribution
Contribution Guide
Last modified 2mo ago
Export as PDF
Copy link