Skip to content

v0.7 Release Blog

Jump to bottom
Ankur Kothiwal edited this page Nov 13, 2022 · 29 revisions

ARM support for KubeArmor

ARM KubeArmor support

Why the support was considered?

KubeArmor is increasingly deployed in near-edge and far-edge scenarios for enhanching security for IoT/Edge aspects. KubeArmor has added support to handle the characteristics of edge scenarios such as:

  1. Support for heterogenous platforms (most of the edge is deployed on ARM, Intel). KubeArmor also ensures that the same policy enforcement techniques are delivered across different linux kernel versions. It does this by abstracting the policy layer from the enforcement layer and the enforcement layer uses the techniques that are available in the context of the deployed worker node.
  2. Edge devices are constrained in terms of CPU and memory availability. The overall resource usage on KubeArmor has been drastically reduced. This has not only helped edge scenarios but cloud based deployments as well.
  3. KubeArmor supports the philosophy of "Do not assume always-on connectivity with the cloud platform".

Recently KubeArmor finished its integration with LF Edge Open Horizon. KubeArmor is also now listed on Intel SmartEdge Marketplace. LFEdge Open Horizon and Intel® Smart Edge are edge computing platforms for deploying edge networks and delivering multi-access edge computing (MEC) for applications, containers, k8s, and virtual machines.

Which ARM platforms were tested?

  1. RPI - Both as a systemd service and on k8s
  2. Azure ARM VM
  3. Apple Macbook M1 laptops

Container based policy support

KubeArmor currently applies policy at the pod level i.e. in the KubeArmorPolicy you specify the selector labels which selects a set of pods across the cluster. However, a single pod may contain multiple containers and each container usually has a very different purpose and the set of binaries or file paths may vary across multiple containers within the pod.

This release adds support to apply the policies at specific container level by extending the selector label policy construct. Following is an instantiation of this construct:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: block-ls-at-container-1
  namespace: wordpress-mysql
spec:
  severity: 2
  selector:
    matchLabels:
      app: wordpress
      kubearmor.io/container.name: "[container-1]"
  process:
    matchPaths:
    - path: /bin/ls
  action:
    Block

Note the use of kubearmor.io/container.name: "[container-1]" construct as part of the selector labels that allows kubearmor to select specific container(s) within the pod.

Container specific policies

Need for multi-container support

The file system paths and binaries present in different containers might be completely different. Without this feature, the block of a process operation in one container would also be blocked in other containers. The discovery-engine automatically discovers the security posture of the k8s application discovers what operations should be allowed. These operations are container specific and should be restricted to specific containers. Thus without the ability to specify container specific rules, there are chances that either the security posture is too generic (in the case of allow based policies) or too restrictive (in the case of block based policies).

Backward compatibility

Specifying container specific labels are optional i.e., if the container information is not specified then the previous way of applying the policies at pod level is retained.

Using un-privileged container for KubeArmor daemonset (as a part of LFX Mentorship)

KubeArmor is a security policy engine and it needs to be ensured that the engine itself follows all the right security practices. Privileged containers are usually frowned upon. Almost every static scanning engine will flag this as an issue. In lot of cases, organizations deploy admission controllers that would not allow containers to be installed in privileged mode.

This release achieves following in the context:

  1. Removes the use of privilege: true flag in the context of kubearmor and associated accessory pods.
  2. Enables individual capabilities in place of enabling all capabilities for the kubearmor containers.
  3. Allows kubearmor to be installed in non-kube-system namespace.

Kudos to Anurag Kumar who achieved this as part LFX Mentorship Project.

Policy Recommendations and Reports

KubeArmor already had a community driven curated list of System and Network policy templates at policy-template repository. With the templates, it was upto the user to change values like namespace labels etc to make sure that the policies are actually enforcing on their cluster.

With the new karmor recommend it is made sure that the user doesn't have to change anything on the policy but rather simply apply them to get a secure environment for the Kubernetes deployments.

karmor-recommend

karmor recommend recommends policies based on container image, k8s manifest or the actual runtime environment itself.

$ karmor recommend --help
Recommend policies based on container image, k8s manifest or the actual runtime env

Usage:
  karmor recommend [flags]
  karmor recommend [command]

Available Commands:
  update      Updates policy-template cache

Flags:
  -c, --config string      absolute path to image registry configuration file
  -h, --help               help for recommend
  -i, --image strings      Container image list (comma separated)
  -l, --labels strings     User defined labels for policy (comma separated)
  -n, --namespace string   User defined namespace value for policies
  -o, --outdir string      output folder to write policies (default "out")
  -r, --report string      report file (default "report.txt")
  -t, --tag strings        tags (comma-separated) to apply. Eg. PCI-DSS, MITRE

Global Flags:
      --context string      Name of the kubeconfig context to use
      --kubeconfig string   Path to the kubeconfig file to use

Use "karmor recommend [command] --help" for more information about a command.

Network Policy & Microsegmentation support using KubeArmor

In Kubernetes, the network policy resource is a set of network traffic rules that are applied to a group of pods in a Kubernetes cluster. The network policy specifies how a pod is allowed to communicate with others. Network policy controllers (running as pods in the Kubernetes cluster) convert the requirements and restrictions of the network policies that are retrieved from the Kubernetes API into the network infrastructure.

KubeArmor has visibility into the network connections made into or from the pods. It has visibility across socket(), bind(), connect(), accept() calls. KubeArmor along with the discovery-engine could now auto-generate kubernetes network policy which are enforceable using most of the k8s CNIs (Container Network Interface).

This release allows kubearmor and discovery-engine to do automatic network microsegmentation by detecting the network connections and creating appropriate network policies based on it.

K8s network policy rule support using kubearmor

Bug fixes and improvements

  • Ability to specific LSM order (#788). On certain platforms it is possible that multiple LSMs are available for enforcing a policy. For e.g., in case of Google COS (Container Optimized OS), both AppArmor and BPF-LSM are available. By default, kubearmor choses BPF-LSM if available, but with this change it is possible to specify the LSM order that could be used for policy enforcement.
  • Support for readOnly flag with BPF-LSM (#962)
  • Fix AppArmor policies behavior (#954)
  • Discovery engine fixes
    • Relative path are not shown anymore
    • Improved karmor summary output
    • Improved discovered policies rules to include all necessary paths
  • Data race conditions fixes (#842)

Clone this wiki locally