KubeArmor Host enforcement + Policy discovery
KubeArmor now adds support for host policies i.e policies that can directly run on Virtual Machines and Baremetal systems using AppArmor and SELinux. A host policy is a policy that is applicable to a given host (identified by a label) and can be enforced on the host by targeting an individual or a group of […]
Reading Time: 2 minutes
KubeArmor now adds support for host policies i.e policies that can directly run on Virtual Machines and Baremetal systems using AppArmor and SELinux.
A host policy is a policy that is applicable to a given host (identified by a label) and can be enforced on the host by targeting an individual or a group of actions or processes.
A host policy can be enforced by either of the two Linux Security Modules (LSM):
- AppArmor – Many Linux distributions (e.g. Debian, Ubuntu, OpenSUSE) ship with AppArmor.
- SELinux – CentOS, RedHat Enterprise Linux and other RHEL flavors such as Rocky Linux support SELinux.
So how do host policies work?
Host policies require a virtual machine control plane called the KVMService (details here). The KVMService allows us to orchestrate and enforce Kubearmor (and Cilium policies) on non Kubernetes i.e. virtual machine and bare-metal workloads as well as hybrid workloads. Please read the help documentation regarding KVMService in our help section. Once the KVM service is installed and enabled a host policy can be defined to enforce on the host on a particular process or action on the host.
Sample host policy: Denies /bin/bash execution from any JVM /path/to/jvm
Host policy
Auto-discovery of host policies
Policy Discovery engine auto-discovers security policies for a VM or bare metal systems in addition to K8s clusters. The auto-discovery of policies on a host typically discovers policies by process (aka workload on the host). The user can choose to auto-discover policies as a single file for the host as well.
The auto-discovery of policies works for
- Host-based KubeArmor policy auto-discovery: KubeArmor will automatically discover the entire profile of the host operating system and its workloads including all processes, file accesses, and network connections. KubeArmor will then use these auto-discover policies to enforce it on the host (Ubuntu, Debian, CentOS, RHEL, Rocky Linux..) using AppArmor or SELinux depending upon the host operating system.
- Host-based Cilium policy auto-discovery: The Auto discovery also supports fully automated discovery of network policies (L3, L4, and L7 policies) for all workloads within a virtual machine or baremetal system attempting to access a network connection.
Get a LIVE Tour
Ready for a personalized security assessment?
“Choosing AccuKnox was driven by opensource KubeArmor’s novel use of eBPF and LSM technologies, delivering runtime security”
Golan Ben-Oni
Chief Information Officer
“At Prudent, we advocate for a comprehensive end-to-end methodology in application and cloud security. AccuKnox excelled in all areas in our in depth evaluation.”
Manoj Kern
CIO
“Tible is committed to delivering comprehensive security, compliance, and governance for all of its stakeholders.”
Merijn Boom
Managing Director