Skip to content

Commit

Permalink
Merge pull request #1778 from rksharma95/kubearmor-security-enhanceme…
Browse files Browse the repository at this point in the history
…nt-doc

doc(Security): Kubearmor security enhancement doc
  • Loading branch information
PrimalPimmy authored Jun 3, 2024
2 parents bbdc04d + 359339b commit 52352c8
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 0 deletions.
Binary file added .gitbook/assets/kubearmor-tls-arch-overview.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
74 changes: 74 additions & 0 deletions getting-started/kubearmor-security-enhancements.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Security Enhancements for KubeArmor

## 1. Secure Kubearmor with Seccomp

To further enhance the security of KubeArmor itself, it is crucial to protect it using seccomp (secure computing mode), a Linux kernel feature that restricts the system calls (syscalls) a process can make, thereby reducing the attack surface.

With this, Kubearmor will only be using Syscalls necessary to function.


### Enabling seccomp in Kubearmor Configuration

By default, seccomp is disabled.

In the [Kubearmor Config](https://github.com/kubearmor/KubeArmor/blob/main/pkg/KubeArmorOperator/config/samples/sample-config.yml), set `seccompEnabled: true` and do a `kubectl apply -f config.yaml` to enable seccomp hardening for Kubearmor.

You can check out https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/pkg/KubeArmorOperator/seccomp/seccomp.go#L19 to see the list of Syscalls that are allowed by Kubearmor after it is enabled.

### Debugging

There may be some enviroments where seccomp profiles might not work, for example a K8s enviroment where the Kubelet path is different than the default `/var/lib/kubelet`. We are currently in the process of defining our own Kubelet path in a future update.

Other issues like missing syscalls in a particular K8s setup is possible, in that case raise an issue in the [repo](https://github.com/kubearmor/KubeArmor/issues).


## 2. Secure gRPC Communication

Communication with KubeArmor (v1.3.0^) and Relay (v1.2.0^) endpoints
is protected using TLS. Both microservices support mTLS to ensure secure and authenticated communication.

![kubearmor-tls-arch-overview](../.gitbook/assets/kubearmor-tls-arch-overview.png)


### TLS Configurations

#### KubeArmor Operator

KubeArmorConfig CR supports these [TLS Configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml#L136-L149) that can be used to configure TLS.

```
tls:
enable: true/false
extraDnsNames: []
extraIpAddresses: []
```

`extraDnsNames`, and `extraIpAddresses` can be used to configure additional hosts where relay is being served i.e. to connect with relay using port-forward on localhost or 127.0.0.1 it needs to be configured as additional hosts first.

By default localhost and 127.0.0.1 are configured as additional hosts.

#### KubeArmor Helm Chart

helm chart supports global flag to enable/disable TLS.
```
tls:
enabled: true/false
```
In addition, both kubearmor and kubearmor relay supports tls specific configurations:
[kubearmor relay tls configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/deployments/helm/KubeArmor/values.yaml#L26)
[kubearmor tls configurations](https://github.com/kubearmor/KubeArmor/blob/bbdc04d4dea3c3e717821e4894f46bd7b30c0d4b/deployments/helm/KubeArmor/values.yaml#L112)

##### Mode 1: External CA and client/server certificates:

`--tlsCertProvider: external`

Use this configuration to provide your own configure CA.
For kubearmor relay both client and server certificates can be provided externally.

KubeArmor only takes CA externally and creates its own certificates signed using provided CA.

##### Mode 2: External CA and dynamic client/server certificates:

`--tlsCertProvider: self`

Provided this configuration for both KubeArmor and Relay, they create their own certificates dynamically signed with provided CA.

0 comments on commit 52352c8

Please sign in to comment.