How to use KubeArmor to enforce security on containerized workloads

Overview

When running KubeArmor in systemd mode, it is possible to enforce security on containers that are not orchestrated with K8s.

• Support Matrix - KubeArmor

Containerized: Workloads that are containerized but not k8s orchestrated are supported. KubeArmor installed in can be used to protect such workloads.

This entry uses security enforcement created by KubeArmor running in systemd mode to control which commands can be executed in specific containers.

Specifically, I will customize the following policy to create and apply a security policy that prevents the diff command from being executed in a particular container.

• KubeArmor/examples/kubearmor_containerpolicy.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: process-block
spec:
  severity: 5
  message: "a critical file was accessed"
  tags:
  - WARNING
  selector:
    matchLabels:
      kubearmor.io/container.name: lb
  process:
    matchPaths:
      - path: /usr/bin/ls
      - path: /usr/bin/sleep
  action:
    Block

Please also refer to the wiki below for a description of security enforcement for containerized workloads.

• KubeArmor to protect IoT Edge containerized workloads

Steps

Development environment (Ubuntu 20.04 on EC2)

ubuntu ~
> uname -r
5.15.0-1040-aws

Create a policy that prevents the diff command from being executed in containers

ubuntu ~
> cat container.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: block-diff
spec:
  selector:
    matchLabels:
      kubearmor.io/container.name: container
  process:
    matchPaths:
      - path: /usr/bin/diff
  action:
    Block

Apply this policy using the karmor client

ubuntu ~
> karmor vm policy add container.yaml
Success

This will create an AppArmor profile based on the contents of the policy. The profile name is a string consisting of the prefix kubearmor_ for KubeArmor followed by the string specified in kubearmor.io/container.name in the policy.

ubuntu ~
> ls /etc/apparmor.d/kubearmor_*
/etc/apparmor.d/kubearmor_container

You can also see that the KubeArmor policy is created separately from the AppArmor profile.

ubuntu ~
> sudo ls /opt/kubearmor/policies/
block-diff.yaml

The created AppArmor profile is passed to docker run --security-opt to start the container. Running the diff command in this container will show Permission denied, confirming that the security enforcement by KubeArmor has been successfully applied 🎉🎉🎉

ubuntu ~
> docker run --rm --security-opt apparmor=kubearmor_container -it ubuntu bash
root@0383459dd77c:/# diff -h
bash: /usr/bin/diff: Permission denied

The details of --security-opt in docker run command are described below.

• Docker run reference | Docker Docs

–security-opt=“apparmor=PROFILE” Set the apparmor profile to be applied to the container

Reference

• KubeArmor to protect IoT Edge containerized workloads
• KubeArmor/examples/kubearmor_containerpolicy.yaml