KubeArmor 1.0: Runtime Security Enforcement for Kubernetes
K8s Guru
2 min read
Table of Contents
Introduction
KubeArmor 1.0, released on August 18, 2022, introduces runtime security enforcement for Kubernetes using eBPF technology. This release provides system call filtering, policy enforcement, and comprehensive security monitoring for cloud-native workloads.
Security features matter most when you’re trying to enforce guardrails without blocking delivery. This release is useful if you’re tightening policy, improving visibility, or hardening defaults across Kubernetes workloads.
Runtime Security Enforcement
- eBPF-based enforcement provides low-overhead system call filtering and monitoring.
- Policy enforcement enables fine-grained control over process execution, file access, and network operations.
- Real-time protection blocks unauthorized actions before they can cause harm.
- Zero-trust security model ensures workloads are protected by default.
Policy Capabilities
- Process policies control which processes can be executed within containers.
- File policies restrict file access and modifications based on paths and permissions.
- Network policies enforce network access controls at the system call level.
- Capability policies restrict Linux capabilities and system calls.
Kubernetes Integration
- CRD support enables managing security policies as Kubernetes resources.
- Label-based policy selection allows policies to be applied based on pod labels.
- Namespace isolation ensures policies are scoped to appropriate namespaces.
- RBAC integration provides fine-grained access control for policy management.
Observability & Monitoring
- Security events provide detailed logging of policy violations and enforcement actions.
- Metrics integration exposes security metrics for Prometheus and Grafana.
- Alerting support enables real-time notifications of security violations.
- Audit logging tracks all security-relevant events for compliance and analysis.
Getting Started
kubectl apply -f https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/deployments/kubearmor.yaml
Create a security policy:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: block-shell
spec:
selector:
matchLabels:
app: nginx
process:
matchPaths:
- path: /bin/sh
action: Block
- path: /bin/bash
action: Block
Summary
| Aspect | Details |
|---|---|
| Release Date | August 18, 2022 |
| Headline Features | Runtime security enforcement, eBPF-based filtering, Kubernetes-native policies |
| Why it Matters | Provides low-overhead runtime security enforcement for Kubernetes workloads using eBPF technology |
KubeArmor 1.0 introduces a new approach to runtime security, providing teams with powerful tools to enforce security policies at the system call level.