FAQs for Kubearmor

[nyrahul]

FAQs we can answer:

General Queries

• What deployments (GKE, EKS, Tanzu, OpenShift) are supported by KubeArmor? How can I check whether my deployment will be supported?
• How is KubeArmor different from PodSecurityPolicy/PodSecurityContext?
• What are the different approaches to runtime security? What is kubearmor's approach?
• What is visibility that I hear of in KubeArmor and how to get visibility information?
  • How to get process events in the context of a specific pods?
• How is Kubearmor different from Admission Controllers (kyverno, OPA)? Are the use-cases different? What are the risks that kubearmor can additionally cover on top of admission controller?
• What are Kubearmor's policy actions? How are they compared to other runtime engines?
• What is the difference between KubeArmorHostPolicy and KubeArmorPolicy?
• Where can I find examples of realistic policies for real workloads?
  • It can be found in policy-templates repo.
• What are the Policy Actions supported by KubeArmor? (What happens if Block policy is used and enforcement is not supported on the platform?)
• How to enable KubeArmorHostPolicy in k8s env?

Trouble shooting & Diagnostics

• I am running into problems, where can I ask for help and what should I do before asking for help? Troubleshooting Guide #499
• KubeArmor policy enforcement works on multiubuntu example but not on my pods. What could be the reasons?
• I am trying the example sleep process deny policy and it is not working.
• Why some of the examples do not work with alpine?
• I am deploying an individual pod, but the policies in the context are not getting enforced.
• I see Action: Audit (Block) but the action is not getting blocked.
• I get this error, module kheaders not found in modules.dep Unable to find kernel headers. What does it mean?

Sample log from kubectl logs -n kube-system kubearmor-xxxxxxx

2022-06-13 20:12:31.893899	INFO	Initialized Containerd Handler
2022-06-13 20:12:31.897327	INFO	Build Time: 2022-06-13 19:59:36.007842487 +0000 UTC
2022-06-13 20:12:31.897402	INFO	Arguments [cluster:default coverageTest:false defaultCapabilitiesPosture:block defaultFilePosture:block defaultNetworkPosture:block enableKubeArmorHostPolicy:false enableKubeArmorPolicy:true enableKubeArmorVm:false gRPC:32767 host:ip-10-0-1-252 hostDefaultCapabilitiesPosture:block hostDefaultFilePosture:block hostDefaultNetworkPosture:block hostVisibility:default k8s:true logPath:/tmp/kubearmor.log seLinuxProfileDir:/tmp/kubearmor.selinux visibility:process,file,network,capabilities]
2022-06-13 20:12:31.897478	INFO	Configuration [{Cluster:default Host:ip-10-0-1-252 GRPC:32767 LogPath:/tmp/kubearmor.log SELinuxProfileDir:/tmp/kubearmor.selinux Visibility:process,file,network,capabilities HostVisibility:default Policy:true HostPolicy:true KVMAgent:false K8sEnv:true DefaultFilePosture:block DefaultNetworkPosture:block DefaultCapabilitiesPosture:block HostDefaultFilePosture:block HostDefaultNetworkPosture:block HostDefaultCapabilitiesPosture:block CoverageTest:false}]
2022-06-13 20:12:31.897497	INFO	Final Configuration [{Cluster:default Host:ip-10-0-1-252 GRPC:32767 LogPath:/tmp/kubearmor.log SELinuxProfileDir:/tmp/kubearmor.selinux Visibility:process,file,network,capabilities HostVisibility:none Policy:true HostPolicy:true KVMAgent:false K8sEnv:true DefaultFilePosture:block DefaultNetworkPosture:block DefaultCapabilitiesPosture:block HostDefaultFilePosture:block HostDefaultNetworkPosture:block HostDefaultCapabilitiesPosture:block CoverageTest:false}]
2022-06-13 20:12:31.897725	INFO	Initialized Kubernetes client
2022-06-13 20:12:31.897745	INFO	Started to monitor node events
2022-06-13 20:12:32.898044	INFO	Node Name: ip-10-0-1-252
2022-06-13 20:12:32.898093	INFO	Node IP: 10.0.1.252
2022-06-13 20:12:32.898134	INFO	Node Annotations: map[kubearmor-policy:audited kubearmor-visibility:none node.alpha.kubernetes.io/ttl:0 volumes.kubernetes.io/controller-managed-attach-detach:true]
2022-06-13 20:12:32.898144	INFO	OS Image: Amazon Linux 2
2022-06-13 20:12:32.898152	INFO	Kernel Version: 5.4.156-83.273.amzn2.x86_64
2022-06-13 20:12:32.898164	INFO	Kubelet Version: v1.21.2-13+d2965f0db10712
2022-06-13 20:12:32.898170	INFO	Container Runtime: docker://19.3.13
2022-06-13 20:12:32.898512	INFO	Initialized KubeArmor Logger
2022-06-13 20:12:32.899236	INFO	checking if kernel headers path (/media/root/usr/src/linux-headers-5.4.156-83.273.amzn2.x86_64) exists
2022-06-13 20:12:32.899334	INFO	Initializing an eBPF program
modprobe: module kheaders not found in modules.dep
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version.
chdir(/lib/modules/5.4.156-83.273.amzn2.x86_64/build): No such file or directory
2022-06-13 20:12:32.903332	ERROR	Failed to initialize BPF (bpf module is nil)
github.com/kubearmor/KubeArmor/KubeArmor/log.Errf
	/usr/src/KubeArmor/KubeArmor/log/logger.go:102
github.com/kubearmor/KubeArmor/KubeArmor/core.(*KubeArmorDaemon).InitSystemMonitor
	/usr/src/KubeArmor/KubeArmor/core/kubeArmor.go:215
github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor
	/usr/src/KubeArmor/KubeArmor/core/kubeArmor.go:407
main.main
	/usr/src/KubeArmor/KubeArmor/main.go:44
runtime.main
	/usr/local/go/src/runtime/proc.go:255
2022-06-13 20:12:32.903382	ERROR	Failed to initialize KubeArmor Monitor
github.com/kubearmor/KubeArmor/KubeArmor/log.Err
	/usr/src/KubeArmor/KubeArmor/log/logger.go:97
github.com/kubearmor/KubeArmor/KubeArmor/feeder.(*Feeder).Err
	/usr/src/KubeArmor/KubeArmor/feeder/feeder.go:460
github.com/kubearmor/KubeArmor/KubeArmor/core.KubeArmor

[nyrahul]

Further FAQs:

• I am using KAta containers/KubeVirt/Firecracker ... How can KubeArmor help?
• Deny ICMP is not working with Ubuntu/AppArmor
• Is there a difference between the level of security offered by KubeArmor towards k8s vs VMs/Bare-metal environment?

[nyrahul]

How to enable KubeArmorHostPolicy in k8s cluster?

By default the host policies and visibility is disabled for k8s hosts.

If you use following command, kubectl logs -n kube-system <KUBEARMOR-POD> | grep "Started to protect"
you will see, 2023-08-21 12:58:34.641665      INFO    Started to protect containers.
This indicates that only container/pod protection is enabled.
If you have hostpolicy enabled you should see something like this, 2023-08-22 18:07:43.335232      INFO    Started to protect a host and containers

One can enable the host policy by patching the daemonset (kubectl edit daemonsets.apps -n kube-system kubearmor):

...
  template:
    metadata:
      annotations:
        container.apparmor.security.beta.kubernetes.io/kubearmor: unconfined
      creationTimestamp: null
      labels:
        kubearmor-app: kubearmor
    spec:
      containers:
      - args:
        - -gRPC=32767
        - -enableKubeArmorHostPolicy  <----- ADD THIS LINE
        env:
        - name: KUBEARMOR_NODENAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
...

[nyrahul]

Most of the FAQs are handled. If there are any new FAQs then they should be taken up individually, by creating an individual issue.