Solutions
Audit & Optimization Platform Design Automation Team Structure
Documentation Blog
Get Started

KubeArmor

KubeArmor is a runtime security enforcement system that uses eBPF to restrict container and node behavior based on security policies. Unlike Falco (which detects threats), KubeArmor actively blocks prohibited actions, providing real-time protection.

What is KubeArmor?

KubeArmor enforces security policies at the kernel level using eBPF, allowing it to:

  • Block unauthorized system calls
  • Prevent file system access violations
  • Restrict network connections
  • Stop privilege escalation attempts

Think of KubeArmor as a bouncer at a club—it doesn’t just watch for trouble, it actively prevents unauthorized actions.

How KubeArmor Works

flowchart TD A[Container Action] --> B[Linux Kernel] B --> C[KubeArmor eBPF] C --> D{Matches Policy?} D -->|Allowed| E[Action Proceeds] D -->|Blocked| F[Action Denied] F --> G[Log Event] E --> H[Container Continues] style A fill:#e1f5ff style C fill:#fff4e1 style F fill:#ffebee style G fill:#ffebee

Installing KubeArmor

Using Helm

helm repo add kubearmor https://kubearmor.github.io/charts
helm repo update
helm install kubearmor kubearmor/kubearmor

Manual Installation

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/kubearmor/kubearmor.yaml

KubeArmor Policies

KubeArmor policies are Kubernetes Custom Resources that define security rules.

Basic Policy Structure

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: block-shell
  namespace: production
spec:
  selector:
    matchLabels:
      app: my-app
  process:
    matchPaths:
    - path: /bin/sh
      action: Block
    - path: /bin/bash
      action: Block
  file:
    matchPaths:
    - path: /etc/passwd
      action: Block

Process Restrictions

Block specific processes:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: block-dangerous-processes
spec:
  selector:
    matchLabels:
      app: web-app
  process:
    matchPaths:
    - path: /usr/bin/nmap
      action: Block
    - path: /usr/bin/nc
      action: Block
    - path: /usr/bin/netcat
      action: Block

File System Protection

Protect sensitive files:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: protect-secrets
spec:
  selector:
    matchLabels:
      app: app
  file:
    matchPaths:
    - path: /etc/secrets/*
      action: Block
    - path: /var/run/secrets/*
      action: Block
    matchDirectories:
    - dir: /root
      action: Block
      recursive: true

Network Restrictions

Control network access:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: restrict-network
spec:
  selector:
    matchLabels:
      app: app
  network:
    matchProtocols:
    - protocol: TCP
      fromSource:
      - path: /usr/bin/curl
        action: Block

Capability Restrictions

Limit Linux capabilities:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: restrict-capabilities
spec:
  selector:
    matchLabels:
      app: app
  capabilities:
    matchCapabilities:
    - capability: SYS_ADMIN
      action: Block
    - capability: NET_ADMIN
      action: Block

Policy Actions

KubeArmor supports three actions:

  • Allow - Explicitly allow an action
  • Audit - Log the action but don’t block it
  • Block - Prevent the action and log it

Audit Mode Example

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: audit-file-access
spec:
  selector:
    matchLabels:
      app: app
  file:
    matchPaths:
    - path: /etc/passwd
      action: Audit

Complete Example

Here’s a comprehensive policy for a web application:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: web-app-policy
  namespace: production
spec:
  selector:
    matchLabels:
      app: web-app
  process:
    matchPaths:
    - path: /bin/sh
      action: Block
    - path: /bin/bash
      action: Block
  file:
    matchPaths:
    - path: /etc/passwd
      action: Block
    - path: /etc/shadow
      action: Block
    matchDirectories:
    - dir: /root
      action: Block
      recursive: true
  network:
    matchProtocols:
    - protocol: TCP
      fromSource:
      - path: /usr/bin/wget
        action: Block

Best Practices

  1. Start with audit mode - Use Audit action first to understand behavior
  2. Use specific selectors - Target policies to specific workloads
  3. Test thoroughly - Ensure policies don’t break legitimate operations
  4. Document policies - Explain why each policy exists
  5. Monitor alerts - Watch for blocked actions that need exceptions
  6. Gradual enforcement - Move from Audit to Block incrementally

Troubleshooting

Check KubeArmor Status

kubectl get pods -n kube-system | grep kubearmor
kubectl logs -n kube-system -l app=kubearmor

View Policy Status

kubectl get kubearmorpolicies --all-namespaces
kubectl describe kubearmorpolicy <policy-name> -n <namespace>

Check Blocked Actions

# View KubeArmor logs
kubectl logs -n kube-system -l app=kubearmor | grep Blocked

Test Policy

# Try to execute a blocked command
kubectl exec -it <pod-name> -n <namespace> -- /bin/sh
# Should be blocked if policy is working

See Also