KubeArmor
Search…
Getting Started
Reference
Security Policy Specification for Containers
Policy Specification
Here is the specification of a security policy.
1
apiVersion: security.kubearmor.com/v1
2
kind:KubeArmorPolicy
3
metadata:
4
name: [policy name]
5
namespace: [namespace name]
6
​
7
spec:
8
severity: [1-10] # --> optional (1 by default)
9
tags: ["tag", ...] # --> optional
10
message: [message] # --> optional
11
​
12
selector:
13
matchLabels:
14
[key1]: [value1]
15
[keyN]: [valueN]
16
​
17
process:
18
matchPaths:
19
- path: [absolute executable path]
20
ownerOnly: [true|false] # --> optional
21
fromSource: # --> optional
22
- path: [absolute exectuable path]
23
matchDirectories:
24
- dir: [absolute directory path]
25
recursive: [true|false] # --> optional
26
ownerOnly: [true|false] # --> optional
27
fromSource: # --> optional
28
- path: [absolute exectuable path]
29
matchPatterns:
30
- pattern: [regex pattern]
31
ownerOnly: [true|false] # --> optional
32
​
33
file:
34
matchPaths:
35
- path: [absolute file path]
36
readOnly: [true|false] # --> optional
37
ownerOnly: [true|false] # --> optional
38
fromSource: # --> optional
39
- path: [absolute exectuable path]
40
matchDirectories:
41
- dir: [absolute directory path]
42
recursive: [true|false] # --> optional
43
readOnly: [true|false] # --> optional
44
ownerOnly: [true|false] # --> optional
45
fromSource: # --> optional
46
- path: [absolute exectuable path]
47
matchPatterns:
48
- pattern: [regex pattern]
49
readOnly: [true|false] # --> optional
50
ownerOnly: [true|false] # --> optional
51
​
52
network:
53
matchProtocols:
54
- protocol: [TCP|tcp|UDP|udp|ICMP|icmp]
55
fromSource: # --> optional
56
- path: [absolute exectuable path]
57
​
58
capabilities:
59
matchCapabilities:
60
- capability: [capability name]
61
fromSource: # --> optional
62
- path: [absolute exectuable path]
63
​
64
action: [Allow|Audit|Block] (Block by default)
Copied!
Policy Spec Description
Now, we will briefly explain how to define a security policy.
- CommonA security policy starts with the base information such as apiVersion, kind, and metadata. The apiVersion and kind would be the same in any security policies. In the case of metadata, you need to specify the names of a policy and a namespace where you want to apply the policy.1apiVersion: security.kubearmor.com/v12kind:KubeArmorPolicy3metadata:4name: [policy name]5namespace: [namespace name]Copied!
- SeverityThe severity part is somewhat important. You can specify the severity of a given policy from 1 to 10. This severity will appear in alerts when policy violations happen.1severity: [1-10]Copied!
- TagsThe tags part is optional. You can define multiple tags (e.g., WARNNING, SENSITIVE, MITRE, STIG, etc.) to categorize security policies.1tags: ["tag1", ..., "tagN"]Copied!
- MessageThe message part is optional. You can add an alert message, and then the message will be presented in alert logs.1message: [message]Copied!
- SelectorThe selector part is relatively straightforward. Similar to other Kubernetes configurations, you can specify (a group of) pods based on labels.1selector:2matchLabels:3[key1]: [value1]4[keyN]: [valueN]Copied!
- ProcessIn the process section, there are three types of matches: matchPaths, matchDirectories, and matchPatterns. You can define specific executables using matchPaths or all executables in specific directories using matchDirectories. In the case of matchPatterns, advanced operators may be able to determine particular patterns for executables by using regular expressions. However, the coverage of regular expressions is highly dependent on AppArmor (Policy Core Reference). Thus, we generally do not recommend using this match.1process:2matchPaths:3- path: [absolute executable path]4ownerOnly: [true|false] # --> optional5fromSource: # --> optional6- path: [absolute executable path]7matchDirectories:8- dir: [absolute directory path]9recursive: [true|false] # --> optional10ownerOnly: [true|false] # --> optional11fromSource: # --> optional12- path: [absolute exectuable path]13matchPatterns:14- pattern: [regex pattern]15ownerOnly: [true|false] # --> optionalCopied!In each match, there are three options.
- ownerOnly (static action: allow owner only; otherwise block all)If this is enabled, the owners of the executable(s) defined with matchPaths and matchDirectories will be only allowed to execute.
- recursiveIf this is enabled, the coverage will extend to the subdirectories of the directory defined with matchDirectories.
- fromSourceIf a path is specified in fromSource, the executable at the path will be allowed/blocked to execute the executables defined with matchPaths or matchDirectories. For better understanding, let us say that an operator defines a policy as follows. Then, /bin/bash will be only allowed (blocked) to execute /bin/sleep. Otherwise, the execution of /bin/sleep will be blocked (allowed).1process:2matchPaths:3- path: /bin/sleep4fromSource:5- path: /bin/bashCopied!
- FileThe file section is quite similar to the process section.1file:2matchPaths:3- path: [absolute file path]4readOnly: [true|false] # --> optional5ownerOnly: [true|false] # --> optional6fromSource: # --> optional7- path: [absolute file path]8matchDirectories:9- dir: [absolute directory path]10recursive: [true|false] # --> optional11readOnly: [true|false] # --> optional12ownerOnly: [true|false] # --> optional13fromSource: # --> optional14- path: [absolute file path]15matchPatterns:16- pattern: [regex pattern]17readOnly: [true|false] # --> optional18ownerOnly: [true|false] # --> optionalCopied!The only difference between 'process' and 'file' is the readOnly option.
- readOnly (static action: allow to read only; otherwise block all)If this is enabled, the read operation will be only allowed, and any other operations (e.g., write) will be blocked.
- NetworkIn the case of network, there is currently one match type: matchProtocols. You can define specific protocols among TCP, UDP, and ICMP.1network:2matchProtocols:3- protocol: [protocol] # --> [ TCP | tcp | UDP | udp | ICMP | icmp ]4fromSource: # --> optional5- path: [absolute file path]Copied!
- CapabilitiesIn the case of capabilities, there is currently one match type: matchCapabilities. You can define specific capability names to allow or block using matchCapabilities. You can check available capabilities in Capability List.1capabilities:2matchCapabilities:3- capability: [capability name]4fromSource: # --> optional5- path: [absolute file path]Copied!
- ActionThe action could be Allow, Audit, or Block. Security policies would be handled in a blacklist manner or a whitelist manner according to the action. Thus, you need to define the action carefully. You can refer to Consideration in Policy Action for more details. In the case of the Audit action, we can use this action for policy verification before applying a security policy with the Block action.1action: [Allow|Audit|Block]Copied!
Getting Started - Previous
Installing KubeArmor with KArmor CLI Tool
Next - Getting Started
Security Policy Examples for Containers
Last modified 1mo ago
Export as PDF
Copy link