Test KubeArmor on AWS Graviton

[Ankurk99]

Feature Request

Short Description
We already support KubeArmor on ARM based processors (tested on Raspberry Pi 4, M1). The aim of this issue is to test and confirm KubeArmor working on AWS ARM based processor - Graviton.

• enforcement supported? What is the LSM used?
• Audit/Observability supported
• Paste the output of karmor probe

Ref: https://aws.amazon.com/ec2/graviton/

[HariVamsiK]

Hello @Ankurk99 I'll work on this issue. Please assign it to me.

[Ankurk99]

Hey @HariVamsiK, if you need any assistance in setting up the cluster or if you want access to AWS Graviton, feel free to ask.

[HariVamsiK]

Yeah sure. Thanks @Ankurk99

[Ankurk99]

Hey @HariVamsiK, were you able to setup the cluster?

[HariVamsiK]

Did it yesterday..My AWS account was having some issues. I'm yet to test it.

[HariVamsiK]

I have used Graviton instance(t4g.small) with Ubuntu 22.04 arm64 as the image. Deployed K3s and probed it.

[HariVamsiK]

@Ankurk99 Do I need to test it on any other platform(like microk8s or minikube)? If not I can update the support matrix and raise the PR.

[Ankurk99]

Hey @HariVamsiK it seems that KubeArmor is running fine. Can you please perform the items mentioned in the description checklist? For enforcement you can try applying any policies and see if the resources are being correctly blocked. Similarly we will be expecting logs for the corresponding enforcement. This should be verified with karmor logs showing the appropriate alerts based on the enforcement (with details like applied policy name, action, LSM used etc.)
This link might help you choosing the testing workload (wordpress-mysql) and the security policies which you can apply for testing: https://github.com/kubearmor/KubeArmor/wiki/KubeArmor-manual-tests-before-releases

Please let us know if you face any difficulty

[HariVamsiK]

Yeah sure.

[Ankurk99]

Hey @HariVamsiK, were you able to test the enforcement and observability?

[HariVamsiK]

karmor probe and pods

wordpress-mysql deployed and tested

karmor logs

AppArmor is primarily used in enforcement and it is the Active LSM.
Audit/Observability Supported : Yes

[nyrahul]

Lets verify with Amazon Linux 2 as well. We can update the support-matrix post that.

[HariVamsiK]

karmor probe and pods

wordpress-mysql deployed and tested

karmor logs

There is no Active LSM, checking the karmor logs after testing security policies on wordpress-mysql the enforcer is eBPF Monitor.
Audit/Observability: Yes

[Ankurk99]

@HariVamsiK Can you please update the support matrix with AWS Graviton support here: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/support_matrix.md?