KubeArmor supports following types of workloads:
- K8s orchestrated: Workloads deployed as k8s orchestrated containers. In this case, Kubearmor is deployed as a k8s daemonset. Note, KubeArmor supports policy enforcement on both k8s-pods (KubeArmorPolicy) as well as k8s-nodes (KubeArmorHostPolicy).
- Containerized: Workloads that are containerized but not k8s orchestrated are supported. KubeArmor installed in systemd mode can be used to protect such workloads.
- VM/Bare-Metals: Workloads deployed on Virtual Machines or Bare Metal i.e. workloads directly operating as host/system processes. In this case, Kubearmor is deployed in systemd mode.
Provider | K8s engine | OS Image | Arch | Observability | Audit Rules | Blocking Rules | Network-Segmentation | LSM Enforcer | Remarks |
---|---|---|---|---|---|---|---|---|---|
Onprem | kubeadm, k3s, microk8s | Distros | x86_64, ARM | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | |
GKE | COS | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | All release channels | |
GKE | Ubuntu >= 16.04 | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | All release channels | |
Microsoft | AKS | Ubuntu >= 18.04 | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | |
Oracle | OKE | UEK >=7 | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM | Oracle Linux Server 8.7 |
IBM | IBM k8s Service | Ubuntu | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | |
AWS | EKS | Amazon Linux 2 (kernel >=5.8) | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM | |
AWS | EKS | Amazon Linux 2 (kernel <=5.4) | x86_64 | ✔️ | ✔️ | ❌ | ✔️ | SELinux | |
AWS | EKS | Ubuntu | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | AppArmor | |
AWS | EKS | Bottlerocket | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM | |
AWS | Graviton | Ubuntu | ARM | ✔️ | ✔️ | ✔️ | ✔️ | AppArmor | |
AWS | Graviton | Amazon Linux 2 | ARM | ✔️ | ✔️ | ❌ | ✔️ | SELinux | |
RedHat | OpenShift | RHEL <=8.4 | x86_64 | ✔️ | ✔️ | ❌ | ✔️ | SELinux | |
RedHat | OpenShift | RHEL >=8.5 | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM | |
Rancher | RKE | SUSE | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | |
Rancher | K3S | Distros | x86_64 | ✔️ | ✔️ | ✔️ | ✔️ | BPFLSM, AppArmor | |
Oracle | Ampere | UEK | ARM | ✔️ | ✔️ | ❌ | ✔️ | ✔️ | 1084 |
VMWare | Tanzu | TBD | x86_64 | 🚧 | 🚧 | 🚧 | 🚧 | 🚧 | 1064 |
Following distributions are tested for VM/Bare-metal based installations:
Provider | Distro | VM / Bare-metal | Kubernetes |
---|---|---|---|
SUSE | SUSE Enterprise 15 | Full | Full |
Debian | Buster / Bullseye | Full | Full |
Ubuntu | 18.04 / 16.04 / 20.04 | Full | Full |
RedHat / CentOS | RHEL / CentOS <= 8.4 | Full | Partial |
RedHat / CentOS | RHEL / CentOS >= 8.5 | Full | Full |
Fedora | Fedora 34 / 35 | Full | Full |
Rocky Linux | Rocky Linux >= 8.5 | Full | Full |
AWS | Amazon Linux 2022 | Full | Full |
RaspberryPi (ARM) | Debian | Full | Full |
Note Full: Supports both enforcement and observability
Partial: Supports only observability
Please approach the Kubearmor community on slack or raise a GitHub issue to express interest in adding the support.
It would be very much appreciated if you can test kubearmor on a platform not listed above and if you have access to. Once tested you can update this document and raise a PR.