search logo search cross
Schedule a demo

Struggling to find cloud security expertise?

Our dashboards correlate events across the multi cloud and on-premise, Reduce resolution time time by 95%

Start Risk Assessment

Webinar

AI-LLM-webinar-card
1/4

eBook

ebook

Get eBook worth $199 for Free

DOWNLOAD NOW
2/4

Blog

mssp

Why AccuKnox is the most MSSP Ready CNAPP?

LEARN MORE
3/4

Comparison

Comparison

Searching for Alternative CNAPP?

COMPARE NOW
4/4
host enforcement min 1

KubeArmor Host enforcement + Policy discovery

 |  April 08, 2022

KubeArmor now adds support for host policies i.e policies that can directly run on Virtual Machines and Baremetal systems using AppArmor and SELinux. A host policy is a policy that is applicable to a given host (identified by a label) and can be enforced on the host by targeting an individual or a group of […]

Reading Time: 2 minutes

Table of Contents

x-icon linked-icon reddit-icon

KubeArmor now adds support for host policies i.e policies that can directly run on Virtual Machines and Baremetal systems using AppArmor and SELinux.

A host policy is a policy that is applicable to a given host (identified by a label) and can be enforced on the host by targeting an individual or a group of actions or processes.

A host policy can be enforced by either of the two Linux Security Modules (LSM):

  • AppArmor – Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.
  • SELinux – CentOS, RedHat Enterprise Linux and other RHEL flavors such as Rocky Linux support SELinux.

So how do host policies work?

Host policies require a virtual machine control plane called the KVMService (details here). The KVMService allows us to orchestrate and enforce Kubearmor (and Cilium policies) on non Kubernetes i.e. virtual machine and bare-metal workloads as well as hybrid workloads. Please read the help documentation regarding KVMService in our help section. Once the KVM service is installed and enabled a host policy can be defined to enforce on the host on a particular process or action on the host.

Sample host policy: Denies /bin/bash execution from any JVM /path/to/jvm

hostenforcement 2

Host policy

 

Auto-discovery of host policies

Policy Discovery engine auto-discovers security policies for a VM or bare metal systems in addition to K8s clusters. The auto-discovery of policies on a host typically discovers policies by process (aka workload on the host). The user can choose to auto-discover policies as a single file for the host as well.

The auto-discovery of policies works for

  • Host-based KubeArmor policy auto-discovery: KubeArmor will automatically discover the entire profile of the host operating system and its workloads including all processes, file accesses, and network connections. KubeArmor will then use these auto-discover policies to enforce it on the host (Ubuntu, Debian, CentOS, RHEL, Rocky Linux..) using AppArmor or SELinux depending upon the host operating system.
  • Host-based Cilium policy auto-discovery: The Auto discovery also supports fully automated discovery of network policies (L3, L4, and L7 policies) for all workloads within a virtual machine or baremetal system attempting to access a network connection.

 

x-icon linked-icon reddit-icon

Continue Reading

Get a LIVE Tour

Ready for a personalized security assessment?

“Choosing AccuKnox was driven by opensource KubeArmor’s novel use of eBPF and LSM technologies, delivering runtime security”

idt

Golan Ben-Oni

Chief Information Officer

“At Prudent, we advocate for a comprehensive end-to-end methodology in application and cloud security. AccuKnox excelled in all areas in our in depth evaluation.”

prudent

Manoj Kern

CIO

“Tible is committed to delivering comprehensive security, compliance, and governance for all of its stakeholders.”

tible

Merijn Boom

Managing Director

Please enable JavaScript in your browser to complete this form.