-
Notifications
You must be signed in to change notification settings - Fork 355
v0.8 Release Blog
KubeArmor supports multiple modes of deployment today, including using manifests files, helm, and using karmor cli tool.
However, operator based installation was desired for KubeArmor for following reasons:
- To handle the scenario where the cluster contains multiple nodes supporting different LSM (Linux Security Modules). KubeArmor cannot set the AppArmor annotation in context to the workload deployed on the node not supporting apparmor.
- There are certain services such as Kubearmor relay whose resource utilization depends on the number of nodes operating within the cluster.
Operator based installation and subsequent monitoring simplies handling of such scenarios.
With this release, the karmor cli tool or the helm/manifests will install the operator and then the operator will install the relevant daemonset and services needed.
Multiple controllers such as policy-controller, host-policy-controller were separately installed. The new release consolidates multiple controllers into a single pod reducing the overall number of kubearmor pods deployed in the cluster.
KubeArmor uses eBPF for two purposes:
- Get visibility/observability events into the workloads.
- To get alerts in the context of the policies
The operations involved in point 1 are straight forward i.e, kubearmor get a events, matches the events with the process, container, pod, namespace information and annotates the events and sends the event out to the clients waiting on the stream.
The operations involved in point 2 are tricky. When kubearmor gets an event, it needs to check whether the event parameters matches any of the policy specification/rules and if it does, generate an alert accordingly. The challenge here is that the matching operation is a non-trivial operation. Assume that the user has set the policy to block execution of /usr/bin/sleep
binary. Now when the event is generated, the kretprobe of the sys_execve syscall is going to return "Permission Denied" since the LSM will block the event. Currently, KubeArmor matches the binary name and other contextual information with the policy rules that it has internally stored and check whether the event was triggered due to a policy violation. This matching operation is non-trivial. Note that the access could be denied permission for reasons outside the scope of KubeArmor i.e, due to capability LSM or due to other access control settings. Thus it should not be inferred that a "Permission Denied" event will always be triggered due to KubeArmor enforced policy decisions only.
Traditional LSMs such as AppArmor, SELinux, use Kernel Audit mechanism to send the policy violation events. Kernel Audit is supported across most of the kernels. Note that this change does not depend on userspace components such as auditd.
This has a drastic positive impact on the performance of kubearmor since there is no policy-matching code involved in every system call hook.
karmor summary
of bind/syscalls
karmor profile