KubeArmor
Definition
KubeArmor is a runtime security enforcement system for Kubernetes that provides fine-grained access control over system resources. It leverages Linux Security Modules (LSMs) like AppArmor and SELinux to enforce security policies on containers, ensuring that only authorized actions are permitted. KubeArmor is designed to enhance the security posture of Kubernetes clusters by preventing unauthorized access and mitigating potential threats at runtime.
Secure Settings Example
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-unwanted-processes
spec:
selector:
matchLabels:
app: my-secure-app
process:
matchPaths:
- path: /bin/sh
action: Block
- path: /usr/bin/wget
action: Block
file:
matchPaths:
- path: /etc/passwd
action: Block
network:
matchProtocols:
- protocol: TCP
action: Allow
Insecure Settings Example
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: allow-all
spec:
selector:
matchLabels:
app: my-insecure-app
process:
matchPaths:
- path: /bin/*
action: Allow
file:
matchPaths:
- path: /etc/*
action: Allow
network:
matchProtocols:
- protocol: ALL
action: Allow