Hardening security on Kubernetes with KubeArmor

KubeArmor provides runtime protection on Kubernetes using policies. It uses eBPF and Linux Security Modules (LSM). It can restrict any malicious or unwanted behavior by cluster uses.

As you can see the Kubearmor is placed between the kernel and running pods. In this placement, it can filter out restricted actions. On the cluster.

KubeArmor is currently in the Sandbox category on the cncf.io.

An example of a policy that restricts running ps in the active containers is given below.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-group-1-proc-path-block
spec:
  severity: 5
  message: "block /bin/ps"
  selector:
    matchLabels:
      group: group-1
  process:
    matchPaths:
    - path: /usr/bin/ps
  action:
    Block

After applying it to the running cluster. When you try to exec ps in the containers it will block the action.

Let's start to see how to install karmor on the existing cluster. Pre requisite is to have running cluster. If you want to setup one you can check out the article:

How do I create a Kubernetes laboratory?

Setting up a Kubernetes lab is often a necessity in my daily work. Testing various software, understanding how to run it, configure it, learning new features, and so on. It’s part of the job. Running directly on the cloud could raise costs and using local development tools is a choice

qdnqnAdnan Selimovic

We will go through the installation process of the KubeArmor, some neat policy examples, network hardening, and scanning of the current cluster with the KubeArmor which recommends policies automatically.