This recipe explains how to use KubeArmor directly on a VM/Bare-Metal machine, and we tested the following steps on Ubuntu hosts.
The recipe installs kubearmor
as systemd process and karmor
cli tool to manage policies and show alerts/telemetry.
- Download the latest release or KubeArmor.
- Install KubeArmor (VER is the kubearmor release version)
sudo apt install ./kubearmor_${VER}_linux-amd64.deb
Note that the above automatically installs
bpfcc-tools
with our package, but your distribution might have an older version of BCC. In case of errors, consider installingbcc
from source.
For distributions other than Ubuntu/Debian
-
Refer Installing BCC to install pre-requisites.
-
Download release tarball from KubeArmor releases for the version you want
wget https://github.com/KubeArmor/KubeArmor/releases/download/v${VER}/kubearmor_${VER}_linux-amd64.tar.gz
- Unpack the tarball to the root directory:
sudo tar --no-overwrite-dir -C / -xzf kubearmor_${VER}_linux-amd64.tar.gz
sudo systemctl daemon-reload
sudo systemctl start kubearmor
Check the status of KubeArmor using sudo systemctl status kubearmor
or use sudo journalctl -u kubearmor -f
to continuously monitor kubearmor logs.
Following policy is to deny execution of sleep
binary on the host:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
spec:
process:
matchPaths:
- path: /usr/bin/sleep # try sleep 1
action:
Block
Save the above policy to hostpolicy.yaml
and apply:
karmor vm policy add hostpolicy.yaml
Now if you run sleep
command, the process would be denied execution.
Note that
sleep
may not blocked if you run it in the same terminal where you apply the above policy. In that case, please open a new terminal and runsleep
again to see if the command is blocked.
karmor log --json
{
"Timestamp": 1639803960,
"UpdatedTime": "2021-12-18T05:06:00.077564Z",
"ClusterName": "Default",
"HostName": "pandora",
"HostPID": 3390423,
"PPID": 168556,
"PID": 3390423,
"UID": 1000,
"PolicyName": "hsp-kubearmor-dev-proc-path-block",
"Severity": "1",
"Type": "MatchedHostPolicy",
"Source": "zsh",
"Operation": "Process",
"Resource": "/usr/bin/sleep",
"Data": "syscall=SYS_EXECVE",
"Action": "Block",
"Result": "Permission denied"
}