v0.7 Release Blog
KubeArmor is increasingly deployed in near-edge and far-edge scenarios for enhanching security for IoT/Edge aspects. KubeArmor has added support to handle the characteristics of edge scenarios such as:
- Support for heterogenous platforms (most of the edge is deployed on ARM, Intel). KubeArmor also ensures that the same policy enforcement techniques are delivered across different linux kernel versions. It does this by abstracting the policy layer from the enforcement layer and the enforcement layer uses the techniques that are available in the context of the deployed worker node.
- Edge devices are constrained in terms of CPU and memory availability. The overall resource usage on KubeArmor has been drastically reduced. This has not only helped edge scenarios but cloud based deployments as well.
- KubeArmor supports the philosophy of "Do not assume always-on connectivity with the cloud platform".
Recently KubeArmor finished its integration with LFEdge Open Horizon. KubeArmor is also now listed on Intel SmartEdge Marketplace. Intel® Smart Edge is a Kubernetes-based, edge computing platform for deploying edge networks and delivering multi-access edge computing (MEC) for applications, containers, and virtual machines.
- RPI - Both as a systemd service and on k8s
- Azure ARM VM
- Apple Macbook M1 laptops
KubeArmor currently applies policy at the pod level i.e. in the KubeArmorPolicy you specify the selector labels which selects a set of pods across the cluster. However, a single pod may contain multiple containers and each container usually has a very different purpose and the set of binaries or file paths may vary across multiple containers within the pod.
This release adds support to apply the policies at specific container level by extending the selector label policy construct. Following is an instantiation of this construct:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-ls-at-container-1
namespace: wordpress-mysql
spec:
severity: 2
selector:
matchLabels:
app: wordpress
kubearmor.io/container.name: "[container-1]"
process:
matchPaths:
- path: /bin/ls
action:
BlockNote the use of kubearmor.io/container.name: "[container-1]" construct as part of the selector labels that allows kubearmor to select specific container(s) within the pod.
The file system paths and binaries present in different containers might be completely different. Without this feature, the block of a process operation in one container would also be blocked in other containers. The discovery-engine automatically discovers the security posture of the k8s application discovers what operations should be allowed. These operations are container specific and should be restricted to specific containers. Thus without the ability to specify container specific rules, there are chances that either the security posture is too generic (in the case of allow based policies) or too restrictive (in the case of block based policies).
Specifying container specific labels are optional i.e., if the container information is not specified then the previous way of applying the policies at pod level is retained.
KubeArmor is a security policy engine and it needs to be ensured that the engine itself follows all the right security practices. Privileged containers are usually frowned upon. Almost every static scanning engine will flag this as an issue. In lot of cases, organizations deploy admission controllers that would not allow containers to be installed in privileged mode.
This release achieves following in the context:
- Removes the use of
privilege: trueflag in the context of kubearmor and associated accessory pods. - Enables individual capabilities in place of enabling all capabilities for the kubearmor containers.
- Allows kubearmor to be installed in non-kube-system namespace.
Kudos to Anurag Kumar who achieved this as part LFX Mentorship Project.
KubeArmor already had a community driven curated list of System and Network policy templates at policy-template repository.
With the templates, it was upto the user to change values like namespace labels etc to make sure that the policies are actually enforcing on their cluster.
With the new kArmor recommend it is made sure that the user doesn't have to change anything on the policy but rather simply apply them to get a secure environment for the Kubernetes deployments.
kArmor recommend recommends policies based on container image, k8s manifest or the actual runtime environment itself.
karmor recommend --help
Recommend policies based on container image, k8s manifest or the actual runtime env
Usage:
karmor recommend [flags]
karmor recommend [command]
Available Commands:
update Updates policy-template cache
Flags:
-c, --config string absolute path to image registry configuration file
-h, --help help for recommend
-i, --image strings Container image list (comma separated)
-l, --labels strings User defined labels for policy (comma separated)
-n, --namespace string User defined namespace value for policies
-o, --outdir string output folder to write policies (default "out")
-r, --report string report file (default "report.txt")
-t, --tag strings tags (comma-separated) to apply. Eg. PCI-DSS, MITRE
Global Flags:
--context string Name of the kubeconfig context to use
--kubeconfig string Path to the kubeconfig file to use
Use "karmor recommend [command] --help" for more information about a command.The kArmor recommend update fetches the latest release of policy-templates and saves them locally. These policies are later recommended to the user according to the identified os distribution and preconditions.
karmor recommend update
INFO[0008] policy-templates updated Current Version=v0.1.4You can get recommendation for an image or your kubernetes deployments.
kArmor recommend with --namespace flag will generate security policies for your active cluster if there is atleast one deployment in the namespace.
karmor recommend --namespace wordpress-mysql
INFO[0005] pulling image image="mysql:5.6"
5.6: Pulling from library/mysql
Digest: sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Status: Image is up to date for mysql:5.6
INFO[0012] dumped image to tar tar=/tmp/karmor877338619/eCAIymyP.tar
Distribution debian
INFO[0013] No runtime policy generated for wordpress-mysql/mysql/mysql:5.6
created policy out/wordpress-mysql-mysql/mysql-5-6-cis-mysql-1-2.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-audit-access-to-mysqldump.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-cert-access.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-mysql/mysql-5-6-least-functionality-execute-package-management-process-in-container.yaml ...
INFO[0014] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0024] dumped image to tar tar=/tmp/karmor615747835/DDgLodyj.tar
Distribution debian
INFO[0026] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...The recommendation can be further filtered down using the flag --labels. With this the user can input an array of labels belonging to deployments which needs policy recommendation.
karmor recommend --namespace wordpress-mysql --labels app=wordpress
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0015] dumped image to tar tar=/tmp/karmor4070582578/GwoIiuRV.tar
Distribution debian
INFO[0018] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...Policy recommendation can also be used on docker images using karmor recommend. The --images flag lets the user to get recommendation for any docker images.
karmor recommend --image ubuntu:latest
INFO[0000] pulling image image="ubuntu:latest"
latest: Pulling from library/ubuntu
Digest: sha256:4b1d0c4a2d2aaf63b37111f34eb9fa89fa1bf53dd6e4ca954d47caebca4005c2
Status: Image is up to date for ubuntu:latest
INFO[0010] dumped image to tar tar=/tmp/karmor4157088184/DRHNcyic.tar
Distribution ubuntu
INFO[0011] No runtime policy generated for //ubuntu:latest
created policy out/ubuntu-latest/maintenance-tool-access.yaml ...
created policy out/ubuntu-latest/system-owner-discovery.yaml ...
created policy out/ubuntu-latest/system-monitoring-deny-write-under-bin-directory.yaml ...
created policy out/ubuntu-latest/least-functionality-execute-package-management-process-in-container.yaml ...
output report in out/report.txt ...karmor recommend is also equipped with 2 reporting features: text and html. The text based reporting is enabled by default and creates a report.txt file under the default output directory out. Both the directory and report file can be customized using --outdir and --report flags respectively.
karmor recommend --namespace wordpress-mysql --labels app=wordpress --outdir wordpress-out
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0020] dumped image to tar tar=/tmp/karmor1901668123/uFSqMXLS.tar
Distribution debian
INFO[0022] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in wordpress-out/report.txt ...
Deployment | wordpress-mysql/wordpress
Container | wordpress:4.8-apache
OS | linux
Arch | amd64
Distro | debian
Output Directory | wordpress-out/wordpress-mysql-wordpress
policy-template version | v0.1.4
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| POLICY | SHORT DESC | SEVERITY | ACTION | TAGS |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-maintenance- | Restrict access to maintenance | 1 | Audit | PCI_DSS,MITRE |
| tool-access.yaml | tools (apk, mii-tool, ...) | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-cert- | Restrict access to trusted | 1 | Block | MITRE,MITRE_T1552_unsecured_credentials |
| access.yaml | certificated bundles in the OS | | | |
| | image | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system-owner- | System Information Discovery | 3 | Block | MITRE,MITRE_T1082_system_information_discovery |
| discovery.yaml | - block system owner discovery | | | |
| | commands | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system- | System and Information | 5 | Block | NIST,MITRE,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE_T1036_masquerading |
| monitoring-deny-write-under-bin- | Integrity - System Monitoring | | | |
| directory.yaml | make directory under /bin/ | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-system- | System and Information | 5 | Audit | NIST,MITRE,NIST_800-53_AU-2,NIST_800-53_SI-4,MITRE_T1036_masquerading |
| monitoring-write-under-dev- | Integrity - System Monitoring | | | |
| directory.yaml | make files under /dev/ | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+
| wordpress-4-8-apache-least- | System and Information | 5 | Block | SI-4,NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,process |
| functionality-execute-package- | Integrity - Least | | | |
| management-process-in- | Functionality deny execution | | | |
| container.yaml | of package manager process in | | | |
| | container | | | |
+------------------------------------+--------------------------------+----------+--------+-----------------------------------------------------------------------+The html reporting will generate an html page with the all the important information.
karmor recommend --namespace wordpress-mysql --labels app=wordpress --outdir wordpress-out --report wordpress.html
INFO[0000] pulling image image="wordpress:4.8-apache"
4.8-apache: Pulling from library/wordpress
Digest: sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Status: Image is up to date for wordpress:4.8-apache
INFO[0015] dumped image to tar tar=/tmp/karmor3128023835/TFNSLVYA.tar
Distribution debian
INFO[0017] No runtime policy generated for wordpress-mysql/wordpress/wordpress:4.8-apache
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-maintenance-tool-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-cert-access.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-owner-discovery.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-deny-write-under-bin-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-system-monitoring-write-under-dev-directory.yaml ...
created policy wordpress-out/wordpress-mysql-wordpress/wordpress-4-8-apache-least-functionality-execute-package-management-process-in-container.yaml ...
output report in wordpress-out/wordpress.html ...
...
...
- Ability to specific LSM order (#788). On certain platforms it is possible that multiple LSMs are available for enforcing a policy. For e.g., in case of Google COS (Container Optimized OS), both AppArmor and BPF-LSM are available. By default, kubearmor choses BPF-LSM if available, but with this change it is possible to specify the LSM order that could be used for policy enforcement.
- Support for readOnly flag with BPF-LSM (#962)
- Fix AppArmor policies behavior (#954)
- Discovery engine fixes
- Relative path are not shown anymore
- Improved
karmor summaryoutput - Improved discovered policies rules to include all necessary paths
- Data race conditions fixes (#842)
