Skip to content

v0.7 Release Blog

Jump to bottom
VIshnu Soman edited this page Nov 7, 2022 · 29 revisions

THIS IS A WORK IN PROGRESS

ARM support for KubeArmor

Why the support was considered?

Which ARM platforms were tested?

  1. RPI
  2. ARM VM
  3. ARM VM on Macbook M1 laptops

Multi-Container support

Need for multi-container support

Policy construct changes

Backward compatibility

Using un-privileged container for KubeArmor daemonset (as a part of LFX Mentorship)

...

BPF-LSM Extensions

...

Policy Recommendations and Reports

KubeArmor already had a community driven curated list of System and Network policy templates at policy-template repository.

With the templates, it was upto the user to change values like namespace labels etc to make sure that the policies are actually enforcing on their cluster.

With the new kArmor recommend it is made sure that the user doesn't have to change anything on the policy but rather simply apply them to get a secure environment for the Kubernetes deployments.

kArmor recommend recommends policies based on container image, k8s manifest or the actual runtime environment itself.

recommend_help

The kArmor recommend update fetches the latest release of policy-templates and saves them locally. These policies are later recommended to the user according to the identified os distribution and preconditions.

recommend_update

You can get recommendation for an image or your kubernetes deployments.

kArmor recommend with --namespace flag will generate security policies for your active cluster if there is atleast one deployment in the namespace.

recommend_namespace

The recommendation can be further filtered down using the flag --labels. With this the user can input an array of labels belonging to deployments which needs policy recommendation.

recommend_namespace_labels

Policy recommendation can also be used on docker images using karmor recommend. The --images flag lets the user to get recommendation for any docker images.

recommend_image

karmor recommend is also equipped with 2 reporting features: text and html. The text based reporting is enabled by default and creates a report.txt file under the default output directory out. Both the directory and report file can be customized using --outdir and --report flags respectively.

recommend_namespace_dir

The html reporting will generate an html page with the all the important information.

recommend_namespace_html

recommend_html

Observability Extensions

...

Generate k8s network policies from KubeArmor logs

...

Bug fixes and improvements [WIP]

Clone this wiki locally