Container Security Capabilities for Graviton Instances

[atilsensalduz]

I've been experimenting with blocking file access, and upon reviewing the logs, I noticed that the outcome indicates "passed" with the action listed as "Action: Audit (Block)." However, upon further inspection using the karmor probe, I found that container security is marked as false. Additionally, upon consulting the support matrix, it appears that Amazon Linux 2 (kernel >=5.8) only supports the x86_64 architecture. Considering the escalating adoption of graviton instances, could we explore incorporating container security capabilities for graviton instances?

OS Image:                 	Amazon Linux 2
Kernel Version:           	5.10.210-201.852.amzn2.aarch64
Kubelet Version:          	v1.27.9-eks-5e0fdde
Container Runtime:        	containerd://1.7.11
Active LSM:
Host Security:            	false
Container Security:       	false
Container Default Posture:	audit(File)                   	audit(Capabilities)	audit(Network)
Host Default Posture:     	audit(File)                   	audit(Capabilities)	audit(Network)
Host Visibility:          	none

[atilsensalduz]

I just saw the following entry in the support matrix but I'm not sure why platform is graviton instead of EKS

[DelusionalOptimist]

Hey @atilsensalduz
Currently only apparmor based enforcement will work on Ubuntu/Debian based distros on Graviton.
We verified that the latest kernel on Graviton for AL2 and Bottle rocket is Kernel version 6.1 and that has a kernel issue with BPF LSM. The issue is resolved in kernel 6.4 but is still not available on AL2 and Bottlerocket. Ref - #1084 (comment)

[nyrahul]

Here is the kernel patch that gets BPF LSM working on arm64/aarch64 for anyone who is interested.

[atilsensalduz]

Thank you for the detailed explanation, team. Should I proceed with closing the ticket, or would it be preferable to continue monitoring the progress of reenabling Container Security for Graviton instances after the launch of Kernel 6.4?