-
Notifications
You must be signed in to change notification settings - Fork 348
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1778 from rksharma95/kubearmor-security-enhanceme…
…nt-doc doc(Security): Kubearmor security enhancement doc
- Loading branch information
Showing
2 changed files
with
74 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# Security Enhancements for KubeArmor | ||
|
||
## 1. Secure Kubearmor with Seccomp | ||
|
||
To further enhance the security of KubeArmor itself, it is crucial to protect it using seccomp (secure computing mode), a Linux kernel feature that restricts the system calls (syscalls) a process can make, thereby reducing the attack surface. | ||
|
||
With this, Kubearmor will only be using Syscalls necessary to function. | ||
|
||
|
||
### Enabling seccomp in Kubearmor Configuration | ||
|
||
By default, seccomp is disabled. | ||
|
||
In the [Kubearmor Config](https://github.com/kubearmor/KubeArmor/blob/main/pkg/KubeArmorOperator/config/samples/sample-config.yml), set `seccompEnabled: true` and do a `kubectl apply -f config.yaml` to enable seccomp hardening for Kubearmor. | ||
|
||
You can check out https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/pkg/KubeArmorOperator/seccomp/seccomp.go#L19 to see the list of Syscalls that are allowed by Kubearmor after it is enabled. | ||
|
||
### Debugging | ||
|
||
There may be some enviroments where seccomp profiles might not work, for example a K8s enviroment where the Kubelet path is different than the default `/var/lib/kubelet`. We are currently in the process of defining our own Kubelet path in a future update. | ||
|
||
Other issues like missing syscalls in a particular K8s setup is possible, in that case raise an issue in the [repo](https://github.com/kubearmor/KubeArmor/issues). | ||
|
||
|
||
## 2. Secure gRPC Communication | ||
|
||
Communication with KubeArmor (v1.3.0^) and Relay (v1.2.0^) endpoints | ||
is protected using TLS. Both microservices support mTLS to ensure secure and authenticated communication. | ||
|
||
![kubearmor-tls-arch-overview](../.gitbook/assets/kubearmor-tls-arch-overview.png) | ||
|
||
|
||
### TLS Configurations | ||
|
||
#### KubeArmor Operator | ||
|
||
KubeArmorConfig CR supports these [TLS Configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml#L136-L149) that can be used to configure TLS. | ||
|
||
``` | ||
tls: | ||
enable: true/false | ||
extraDnsNames: [] | ||
extraIpAddresses: [] | ||
``` | ||
|
||
`extraDnsNames`, and `extraIpAddresses` can be used to configure additional hosts where relay is being served i.e. to connect with relay using port-forward on localhost or 127.0.0.1 it needs to be configured as additional hosts first. | ||
|
||
By default localhost and 127.0.0.1 are configured as additional hosts. | ||
|
||
#### KubeArmor Helm Chart | ||
|
||
helm chart supports global flag to enable/disable TLS. | ||
``` | ||
tls: | ||
enabled: true/false | ||
``` | ||
In addition, both kubearmor and kubearmor relay supports tls specific configurations: | ||
[kubearmor relay tls configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/deployments/helm/KubeArmor/values.yaml#L26) | ||
[kubearmor tls configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/deployments/helm/KubeArmor/values.yaml#L112) | ||
|
||
##### Mode 1: External CA and client/server certificates: | ||
|
||
`--tlsCertProvider: external` | ||
|
||
Use this configuration to provide your own configure CA. | ||
For kubearmor relay both client and server certificates can be provided externally. | ||
|
||
KubeArmor only takes CA externally and creates its own certificates signed using provided CA. | ||
|
||
##### Mode 2: External CA and dynamic client/server certificates: | ||
|
||
`--tlsCertProvider: self` | ||
|
||
Provided this configuration for both KubeArmor and Relay, they create their own certificates dynamically signed with provided CA. |