KubeArmor Support for Host Policy Discovery and Enforcement

KubeArmor now adds support for a Host Policy i.e policies that can directly run on Virtual Machines and BareMetal systems using AppArmor and SELinux.

A host policy is a policy that is applicable to a given host (identified by a label) and can be enforced on the host by targeting an individual or a group of actions or processes.

A host policy can be enforced by either of the two Linux Security Modules (LSM):

• AppArmor – Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.
• SELinux – CentOS, RedHat Enterprise Linux and other RHEL flavors such as Rocky Linux support SELinux.

How do host policies work?

Host policies require a virtual machine control plane called the KVMService (details here). The KVMService allows us to orchestrate and enforce Kubearmor (and Cilium policies) on non Kubernetes i.e. virtual machine and bare-metal workloads as well as hybrid workloads. Please read the help documentation regarding KVMService in our help section. Once the KVM service is installed and enabled a host policy can be defined to enforce on the host on a particular process or action on the host.

Sample host policy: Denies /bin/bash execution from any JVM /path/to/jvm

Host policy

🗙

How to Troubleshoot KubeArmor policies?

See how to troubleshoot KubeArmor policies in GKE.

Learn More

Auto-discovery of Host Policies

Policy Discovery engine auto-discovers security policies for a VM or bare metal systems in addition to K8s clusters. The auto-discovery of policies on a host typically discovers policies by process (aka workload on the host). The user can choose to auto-discover policies as a single file for the host as well.

The auto-discovery of policies works for:

• Host-based KubeArmor policy auto-discovery: KubeArmor will automatically discover the entire profile of the host operating system and its workloads including all processes, file accesses, and network connections. KubeArmor will then use these auto-discover policies to enforce it on the host (Ubuntu, Debian, CentOS, RHEL, Rocky Linux..) using AppArmor or SELinux depending upon the host operating system.
• Host-based Cilium policy auto-discovery: The Auto discovery also supports fully automated discovery of network policies (L3, L4, and L7 policies) for all workloads within a virtual machine or baremetal system attempting to access a network connection.

Further Reading

Talos Linux and KubeArmor Integration [2025 Edition]

Enhancing Kubernetes Security with Talos Linux and KubeArmor

Download Now