KubeArmor
Search…
Security Policy Specification for Hosts

Policy Specification

Here is the specification of a host security policy.
1
apiVersion: security.kubearmor.com/v1
2
kind:KubeArmorHostPolicy
3
metadata:
4
name: [policy name]
5
6
spec:
7
severity: [1-10] # --> optional (1 by default)
8
tags: ["tag", ...] # --> optional
9
message: [message] # --> optional
10
11
nodeSelector:
12
matchLabels:
13
[key1]: [value1]
14
[keyN]: [valueN]
15
16
process:
17
matchPaths:
18
- path: [absolute executable path]
19
ownerOnly: [true|false] # --> optional
20
fromSource: # --> optional
21
- path: [absolute exectuable path]
22
matchDirectories:
23
- dir: [absolute directory path]
24
recursive: [true|false] # --> optional
25
ownerOnly: [true|false] # --> optional
26
fromSource: # --> optional
27
- path: [absolute exectuable path]
28
matchPatterns:
29
- pattern: [regex pattern]
30
ownerOnly: [true|false] # --> optional
31
32
file:
33
matchPaths:
34
- path: [absolute file path]
35
readOnly: [true|false] # --> optional
36
ownerOnly: [true|false] # --> optional
37
fromSource: # --> optional
38
- path: [absolute exectuable path]
39
matchDirectories:
40
- dir: [absolute directory path]
41
recursive: [true|false] # --> optional
42
readOnly: [true|false] # --> optional
43
ownerOnly: [true|false] # --> optional
44
fromSource: # --> optional
45
- path: [absolute exectuable path]
46
matchPatterns:
47
- pattern: [regex pattern]
48
readOnly: [true|false] # --> optional
49
ownerOnly: [true|false] # --> optional
50
51
network:
52
matchProtocols:
53
- protocol: [TCP|tcp|UDP|udp|ICMP|icmp]
54
fromSource:
55
- path: [absolute exectuable path]
56
57
capabilities:
58
matchCapabilities:
59
- capability: [capability name]
60
fromSource:
61
- path: [absolute exectuable path]
62
63
action: [Audit|Block] (Block by default)
Copied!
For better understanding, you can check the KubeArmorHostPolicy spec diagram.

Policy Spec Description

Now, we will briefly explain how to define a host security policy.
  • Common
    A security policy starts with the base information such as apiVersion, kind, and metadata. The apiVersion and kind would be the same in any security policies. In the case of metadata, you need to specify the names of a policy and a namespace where you want to apply the policy.
    1
    apiVersion: security.kubearmor.com/v1
    2
    kind:KubeArmorHostPolicy
    3
    metadata:
    4
    name: [policy name]
    5
    namespace: [namespace name]
    Copied!
    Make sure that you need to use KubeArmorHostPolicy, not KubeArmorPolicy.
  • Severity
    The severity part is somewhat important. You can specify the severity of a given policy from 1 to 10. This severity will appear in alerts when policy violations happen.
    1
    severity: [1-10]
    Copied!
  • Tags
    The tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies.
    1
    tags: ["tag1", ..., "tagN"]
    Copied!
  • Message
    The message part is optional. You can add an alert message, and then the message will be presented in alert logs.
    1
    message: [message]
    Copied!
  • NodeSelector
    The node selector part is relatively straightforward. Similar to other Kubernetes configurations, you can specify (a group of) nodes based on labels.
    1
    nodeSelector:
    2
    matchLabels:
    3
    [key1]: [value1]
    4
    [keyN]: [valueN]
    Copied!
    If you do not have any custom labels, you can use system labels as well.
    1
    kubernetes.io/arch: [architecture, (e.g., amd64)]
    2
    kubernetes.io/hostname: [host name, (e.g., kubearmor-dev)]
    3
    kubernetes.io/os: [operating system, (e.g., linux)]
    Copied!
  • Process
    In the process section, there are three types of matches: matchPaths, matchDirectories, and matchPatterns. You can define specific executables using matchPaths or all executables in specific directories using matchDirectories. In the case of matchPatterns, advanced operators may be able to determine particular patterns for executables by using regular expressions. However, we generally do not recommend using this match.
    1
    process:
    2
    matchPaths:
    3
    - path: [absolute executable path]
    4
    ownerOnly: [true|false] # --> optional
    5
    fromSource: # --> optional
    6
    - path: [absolute executable path]
    7
    matchDirectories:
    8
    - dir: [absolute directory path]
    9
    recursive: [true|false] # --> optional
    10
    ownerOnly: [true|false] # --> optional
    11
    fromSource: # --> optional
    12
    - path: [absolute exectuable path]
    13
    matchPatterns:
    14
    - pattern: [regex pattern]
    15
    ownerOnly: [true|false] # --> optional
    Copied!
    In each match, there are three options.
    • ownerOnly (static action: allow owner only; otherwise block all)
      If this is enabled, the owners of the executable(s) defined with matchPaths and matchDirectories will be only allowed to execute.
    • recursive
      If this is enabled, the coverage will extend to the subdirectories of the directory defined with matchDirectories.
    • fromSource
      If a path is specified in fromSource, the executable at the path will be allowed/blocked to execute the executables defined with matchPaths or matchDirectories. For better understanding, let us say that an operator defines a policy as follows. Then, /bin/bash will be only allowed (blocked) to execute /bin/sleep. Otherwise, the execution of /bin/sleep will be blocked (allowed).
      1
      process:
      2
      matchPaths:
      3
      - path: /bin/sleep
      4
      fromSource:
      5
      - path: /bin/bash
      Copied!
  • File
    The file section is quite similar to the process section.
    1
    file:
    2
    matchPaths:
    3
    - path: [absolute file path]
    4
    readOnly: [true|false] # --> optional
    5
    ownerOnly: [true|false] # --> optional
    6
    fromSource: # --> optional
    7
    - path: [absolute file path]
    8
    matchDirectories:
    9
    - dir: [absolute directory path]
    10
    recursive: [true|false] # --> optional
    11
    readOnly: [true|false] # --> optional
    12
    ownerOnly: [true|false] # --> optional
    13
    fromSource: # --> optional
    14
    - path: [absolute file path]
    15
    matchPatterns:
    16
    - pattern: [regex pattern]
    17
    readOnly: [true|false] # --> optional
    18
    ownerOnly: [true|false] # --> optional
    Copied!
    The only difference between 'process' and 'file' is the readOnly option.
    • readOnly (static action: allow to read only; otherwise block all)
      If this is enabled, the read operation will be only allowed, and any other operations (e.g., write) will be blocked.
  • Network
    In the case of network, there is currently one match type: matchProtocols. You can define specific protocols among TCP, UDP, and ICMP.
    1
    network:
    2
    matchProtocols:
    3
    - protocol: [protocol(,)] # --> [ TCP | tcp | UDP | udp | ICMP | icmp ]
    4
    fromSource:
    5
    - path: [absolute file path]
    Copied!
  • Capabilities
    In the case of capabilities, there is currently one match type: matchCapabilities. You can define specific capability names to allow or block using matchCapabilities. You can check available capabilities in Capability List.
    1
    capabilities:
    2
    matchCapabilities:
    3
    - capability: [capability name(,)]
    4
    fromSource:
    5
    - path: [absolute file path]
    Copied!
  • Action
    The action could be Audit or Block in general. In order to use the Allow action, you should define 'fromSource'; otherwise, all Allow actions will be ignored by default.
    1
    action: [Audit|Block]
    Copied!
    If 'fromSource' is defined, we can use all actions for specific rules.
    1
    action: [Allow|Audit|Block]
    Copied!
Last modified 1mo ago
Export as PDF
Copy link