KubeArmor
Search…
Security Policy Examples for Containers
Here, we demonstrate how to define security policies using our example microservice (multiubuntu).
  • Process Execution Restriction
    • Block a specific executable (ksp-group-1-proc-path-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-group-1-proc-path-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      group: group-1
      10
      process:
      11
      matchPaths:
      12
      - path: /bin/sleep
      13
      action:
      14
      Block
      Copied!
      • Explanation: The purpose of this policy is to block the execution of '/bin/sleep' in the containers with the 'group-1' label. For this, we define the 'group-1' label in selector -> matchLabels and the specific path ('/bin/sleep') in process -> matchPaths. Also, we put 'Block' as the action of this policy.
      • Verification: After applying this policy, please get into one of the containers with the 'group-1' (using "kubectl -n multiubuntu exec -it ubuntu-X-deployment-... -- bash") and run '/bin/sleep'. You will see that /bin/sleep is blocked.
    • Block all executables in a specific directory (ksp-ubuntu-1-proc-dir-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-1-proc-dir-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-1
      10
      process:
      11
      matchDirectories:
      12
      - dir: /sbin/
      13
      action:
      14
      Block
      Copied!
      • Explanation: The purpose of this policy is to block all executables in the '/sbin' directory. Since we want to block all executables rather than a specific executable, we use matchDirectories to specify the executables in the '/sbin' directory at once.
      • Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run '/sbin/route' to see if this command is allowed (this command will be blocked).
    • Block all executables in a specific directory and its subdirectories (ksp-ubuntu-2-proc-dir-recursive-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-2-proc-dir-recursive-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-2
      10
      process:
      11
      matchDirectories:
      12
      - dir: /usr/
      13
      recursive: true
      14
      action:
      15
      Block
      Copied!
      • Explanation: As the extension of the previous policy, we want to block all executables in the '/usr' directory and its subdirectories (e.g., '/usr/bin', '/usr/sbin', and '/usr/local/bin'). Thus, we add 'recursive: true' to extend the scope of the policy.
      • Verification: After applying this policy, please get into the container with the 'ubuntu-2' label and run '/usr/bin/env' or '/usr/bin/whoami'. You will see that those commands are blocked.
    • Allow specific executables only (ksp-ubuntu-3-proc-dir-allow.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-3-proc-dir-allow
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-3
      10
      process:
      11
      matchDirectories:
      12
      - dir: /bin/
      13
      file:
      14
      matchDirectories:
      15
      - dir: /credentials/ # some files to test
      16
      recursive: true
      17
      action:
      18
      Allow
      Copied!
      • Explanation: Unlike the previous policies, we want the container with the 'ubuntu-3' label only to execute specific executables. To achieve this goal, we first define the scope of this policy using matchDirectories (you can also use matchPaths). Then, we define the 'Allow' action instead of the 'Block' action.
      • Verification: In this policy, we allow some files (i.e., /credentials/*) for verification. After applying this policy, please get into the container with the 'ubuntu-3' label and run 'cd /credentials', 'ls', and 'cat /credentials/password'. You will see that all of the binaries in /bin work well. Now, please simply run 'awk' or 'diff'. Then, those commands will be blocked since they are in /usr/bin.
    • Allow a specific executable to be launched by its owner only (ksp-ubuntu-3-proc-path-owner-only.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-3-proc-path-owner-allow
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-3
      10
      process:
      11
      matchPaths:
      12
      - path: /home/user1/hello
      13
      ownerOnly: true
      14
      - path: /bin/su # need to change users
      15
      file:
      16
      matchDirectories: # some files are used by /bin/su (coarse-grained way)
      17
      - dir: /etc/
      18
      recursive: true
      19
      - dir: /proc/
      20
      recursive: true
      21
      matchPaths:
      22
      - path: /run/utmp # used by /bin/su
      23
      action:
      24
      Allow
      Copied!
      • Explanation: This policy aims to allow a specific user (i.e., user1) only to launch its own executable (i.e., hello), which means that we do not want for the root user to even launch /home/user1/hello. For this, we define a security policy similar to the above ones, but we specifically add 'ownerOnly: true'.
      • Verification: For verification, we allow /bin/su and some files used by /bin/su to change users (from 'root' to 'user1') in the policy. After applying this policy, please get into the container with the 'ubuntu-3' label and run '/home/user1/hello' first. This command will be blocked even though you are the 'root' user. Then, please run 'su - user1'. Now, you are the 'user1' user. Please run '/home/user1/hello' again. You will see that it works now.
  • File Access Restriction
    • Allow accessing specific files only (ksp-ubuntu-4-file-path-readonly-allow.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-4-file-path-readonly-allow
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-4
      10
      process: # some exectuables to test
      11
      matchDirectories:
      12
      - dir: /bin/
      13
      file:
      14
      matchPaths:
      15
      - path: /secret.txt
      16
      - path: /credentials/password
      17
      readOnly: true
      18
      action:
      19
      Allow
      Copied!
      • Explanation: The purpose of this policy is to allow the container with the 'ubuntu-4' label to access '/secret.txt' and '/credentials/password' only. We also want the container to read '/credentials/password' only (the write operation is blocked) while allowing the container to read and write '/secret.txt'.
      • Verification: For testing, we allow binaries in /bin. After applying this policy, please get into the container with the 'ubuntu-4' label and run 'cat /secret.txt' and 'cat /credentials/password'. You can see the contents in those files. Now, please run 'echo "test" >> /secret.txt'. This command will work fine. Please run 'echo "test" >> /credentials/password'. You will see that the write operation will be blocked.
    • Block all file accesses in a specific directory and its subdirectories (ksp-ubuntu-5-file-dir-recursive-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-5-file-dir-recursive-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-5
      10
      file:
      11
      matchDirectories:
      12
      - dir: /credentials/
      13
      recursive: true
      14
      action:
      15
      Block
      Copied!
      • Explanation: In this policy, we do not want the container with the 'ubuntu-5' label to access any files in the '/credentials' directory and subdirectories. Thus, we use 'matchDirectories' and 'recursive: true' to define all files in the '/credentials' directory and its subdirectories.
      • Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'cat /secret.txt'. You will see the contents of /secret.txt. Then, please run 'cat /credentials/password'. This command will be blocked due to the security policy.
  • Network Operation Restriction
    • Block ICMP packets (ksp-ubuntu-5-net-icmp-block)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-5-net-icmp-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-5
      10
      network:
      11
      matchProtocols:
      12
      - protocol: icmp
      13
      action:
      14
      Block
      Copied!
      • Explanation: We want to block sending ICMP packets from the containers with the 'ubuntu-5' label while allowing packets for the other protocols (e.g., TCP and UDP). For this, we use 'matchProtocols' to define the protocol (i.e., ICMP) that we want to block.
      • Verification: After applying this policy, please get into the container with the 'ubuntu-5' label and run 'curl www.kubearmor.com'. This will work fine. Then, please run 'ping 8.8.8.8'. You will see 'permission denied' since the 'ping' command internally uses the ICMP protocol.
  • Capabilities Restriction
    • Block Raw Sockets (i.e., non-TCP/UDP packets) (ksp-ubuntu-1-cap-net-raw-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorPolicy
      3
      metadata:
      4
      name: ksp-ubuntu-1-cap-net-raw-block
      5
      namespace: multiubuntu
      6
      spec:
      7
      selector:
      8
      matchLabels:
      9
      container: ubuntu-1
      10
      capabilities:
      11
      matchCapabilities:
      12
      - capability: net_raw
      13
      action:
      14
      Block
      Copied!
      • Explanation: We want to block any network operations using raw sockets from the containers with the 'ubuntu-2' label, meaning that containers cannot send non-TCP/UDP packets (e.g., ICMP echo request or reply) to other containers. To achieve this, we use matchCapabilities and specify the 'CAP_NET_RAW' capability to block raw socket creations inside the containers. Here, since we use the stream and datagram sockets to TCP and UDP packets respectively, we can still send those packets to others.
      • Verification: After applying this policy, please get into the container with the 'ubuntu-1' label and run 'curl www.kubearmor.com'. This will work fine. Then, please run 'ping 8.8.8.8'. You will see 'operation not permitted' since the 'ping' command internally requires a raw socket to send ICMP packets.
Last modified 1mo ago
Export as PDF
Copy link