popup cross
Please enable JavaScript in your browser to complete this form.

See AccuKnox in Action

Meet our security experts to understand risk assessment in depth

Name
Checkbox Items

For information on how we comply with data privacy practices, please review our Privacy Policy.

Generate Kyverno Admission Controller Policies with KubeArmor®

by Vyom Yadav | December 01, 2023

Look into the functions, security, and Zero Trust tokens of Kubernetes admission controllers. Let us walk through KubeArmor’s Discovery Engine, which provides full visibility and proactive security measures for fortified cluster protection. See how to strengthen your Kubernetes environment with advanced safeguards!

Reading Time: 3 minutes

What are Kubernetes admission controllers?

Admission Controllers enforce semantic validation of objects during create, update, and delete operations. Kubernetes Admission controllers leverage admission webhooks which are HTTP callbacks. These receive admission requests before k8s resources are deployed such that the controllers can perform some actions such as security, compliance, and governance checks before admitting the resources. Admission controllers use validating and mutating webhooks (some extend to ValidatingAdmissionPolicy too) to control the operations performed through the kube-api server.

💡TL;DR

  • Kubernetes admission controllers enforce semantic validation of objects during create, update, and delete operations.
  • They leverage admission webhooks to perform security, compliance, and governance checks before admitting resources.
  • These controllers are easy to integrate with existing clusters and highly configurable, enhancing their security posture.
  • KubeArmor, a runtime security platform, can detect application behavior and generate admission controller policies based on the container or application behavior.
  • It is recommended to run applications in the pre-production stage to gain visibility into application behavior and generate highly accurate policies.

Why is Kubernetes admission controller required?

Kubernetes admission controller can enforce custom policies that are not possible with Kubernetes RBAC or Pod Security Policies. Almost all Kubernetes admission controllers are easy to integrate with an existing cluster and being highly configurable, they can severely enhance security posture. Some notable policy examples are:

  1. Resource Limits
  2. Trusted Container Images
  3. Label Existence
  4. Security Context
  5. IngressEgress, and NetworkPolicy governance

How can KubeArmor runtime visibility enhance Kubernetes admission controller policies?

Admission controllers, as the name suggests, enforce policies at the time of admission. Consequently, administrators need to understand application behavior before enforcing policies to ensure that a mistake does not lead to downtime in application availability.

Runtime security platforms like AccuKnox and its OpenSource companion, KubeArmor can detect application behavior and generate admission controller policies based on the container or the application behavior. Administrators can deploy applications in the pre-production stage for AccuKnox/KubeArmor to collect runtime data and generate admission controller policies according to application behavior.

Zero Trust with service account token

For any pod deployed on the cluster, the service account token is automatically mounted onto that container unless explicitly setting automountServiceAccountToken: false . Unless explicitly specified, the default service account token of the particular namespace is mounted onto the pod. Though the permissions of the default token are highly restricted, these can be enhanced by binding it with some role or clusterrole.

What attacks are possible with service account tokens?

“Every possible attack that can be performed after accessing the kube-api server”
The service account token is used to access the kube-api server. The attack surface varies according to the role assigned to the service account token. After getting the service account token, the attacker can impersonate the application and access the API server to even perform crypto-jacking attacks.

Disallow mounting of unused tokens with AccuKnox®

While access to the service account token can be restricted at runtime using KubeArmor (https://docs.kubearmor.io/kubearmor/use-cases/use-cases#block-access-to-k8s-service-account-token), it is better to stop auto-mounting of service account tokens if the container does not access it.

How does it work?

Discovery Engine works as a plug-in with KubeArmor. Discovery Engine acquires system logs from KubeArmor Relay which are processed and analyzed to check whether there are any accesses to the service account token mounted into the container.

Discovered policy uses labels to match on the pod or the pod controller. Discovery Engine stores these policies internally inside a database which are updated and deleted as per application behavior. It is suggested to run applications in the pre-production stage, trying to hit maximum code points so that KubeArmor has maximum visibility into application behavior and highly accurate policies can be generated.

These discovered policies will then prevent bad configurations at the admission time only, enhancing the security posture and not leaving it for runtime pre or post attack mitigation.

Note: Only Kyverno policies are recommended at present. The framework can be extended to generate OPA (Open Policy Agent) Rego policies or KubeWarden policies.

Demo Time ⏳
I. Download and install karmor cli-tool
$ curl -sfL http://get.kubearmor.io/ | sudo sh -s — -b /usr/local/bin
II. Install KubeArmor
$ karmor install
III. Install Discovery Engine
$ kubectl apply -f
https://raw.githubusercontent.com/kubearmor/discovery-engine/dev/deployments/k8s/deployment.yaml

IV. Create an nginx deployment
$ kubectl create deploy nginx –image=nginx –replicas=1
V. Let’s try to recommend policies using karmorCLI, nginx image does not access the service account token.

 

Secure your workloads

side-banner Explore Marketplace

*No strings attached, limited period offer!

  • Schedule 1:1 Demo
  • Product Tour

On an average Zero Day Attacks cost $3.9M

why accuknox logo
Marketplace Icon

4+

Marketplace Listings

Regions Icon

7+

Regions

Compliance Icon

33+

Compliance Coverage

Integration Icon

37+

Integrations Support

founder-image

Prevent attacks
before they happen!

Schedule 1:1 Demo

See interactive use cases in action

Experience easy to execute use cases; such as attack defences, risk assessment, and more.

Please enable JavaScript in your browser to complete this form.