Protect your Virtual Machine and Bare Metal Systems during Runtime

Runtime Protection for VMs and Bare Metal

Teams today run critical applications across virtual machines, bare-metal servers, and containerized environments – often all at once. In this landscape, runtime protection is no longer a container-only problem; it’s a core layer of defense for every execution environment.

Since 2022, AccuKnox has continuously evolved its runtime protection capabilities to cover these diverse infrastructures. What began as enforcement for containerized workloads has expanded into full kernel-native protection for VMs and bare-metal systems, powered by AppArmor, SELinux, and eBPF.

Why Runtime Protection Matters

Misconfigurations, insider threats, and kernel-level exploits remain leading causes of breaches. Traditional scanners and EDR tools catch issues after the fact. Runtime protection prevents them in real time  blocking unauthorized process execution, file access, and network actions before they compromise a system.

By combining behavior-based enforcement and policy automation, AccuKnox brings continuous runtime security to every layer of a hybrid infrastructure.

What’s New in 2025: Unified eBPF and LSM Security

The 2025 release marks a major leap forward in unified observability and control for non-containerized workloads.
AccuKnox now merges eBPF observability with Linux Security Module (LSM)-based enforcement, creating a tightly coupled protection layer that works across VMs, bare metal, and hybrid clusters.

Key 2025 Enhancements:

• Unified Observability: Correlate eBPF runtime traces with LSM enforcement logs in one view.
• Improved SELinux Compatibility: Broader enforcement options and simplified policy authoring for RHEL, CentOS, and Fedora systems.
• Hybrid Policy Synchronization: Seamless policy sharing between Kubernetes clusters and standalone VMs.
• Enhanced Visibility: Native Prometheus and Grafana integrations provide live runtime telemetry and performance metrics.

This architecture ensures teams gain the same visibility and control in a VM or bare-metal environment that they already expect from container security platforms.

Accuknox is happy to announce the alpha availability of virtual machine/ bare metal systems. With this announcement, customers will be able to use our open source tooling and apply application hardening and runtime enforcement using AppArmor / SELinux (commonly known Linux Security Modules or LSM) and eBPF (extended Berkley Packet Filter).

The solution for supporting Virtual machines and bare metal systems consists of:

• KVMService – a control plane for managing virtual machines and baremetal systems
• Host Policy support – available now with both Cilium and KubeArmor. This allows us to target a virtual machine (using a label) and processes to create policies that restrict access to network and other system resources using both KubeArmor and Cilium.
• Policy discovery for Virtual Machines which now enables Cilium and KubeArmor host policies to be discovered and enforced at a particular process level.
• SELinux policy support – this allows for virtual machines with Red Hat Enterprise Linux and CentOS to be supported for Host policy Enforcement. KubeArmor policies will now work on SELinux enabled operating systems with limitations. Specific limitation includes the lack of ability to block network access for applications.

How KVMService Enables Policy Orchestration

The KVMService is an open source project build by Accuknox and is available at https://github.com/kubearmor . The KVMService was built with the goal of orchestrating policies to virtual machine and baremetal systems using either a K8s or a non K8s control plane.

Let’s look at the initial design goals for KVMServivce

• Onboard kubearmor/cilium to virtual machines/bare-metals/edge-devices
• Orchestrate Kubearmor and Cilium policies to VMs
• Handle observability in a unified manner
• Support hybrid deployments of K8s and Virtual machine-based workloads.
• Support automated policy discovery for kubearmor/cilium for VMs

Architectural Overview

KVMService operates as a lightweight policy orchestrator. It communicates with local agents deployed on VMs or bare-metal nodes, distributing runtime policies defined by administrators. Each node agent translates these policies into AppArmor or SELinux rules, enforced directly within the Linux kernel.

This model provides:

• Automated Policy Sync: Policies update dynamically across multi-cloud and on-prem environments.
• Multi-Cluster Orchestration: Centralized control over both Kubernetes and non-Kubernetes workloads.

Performance Metrics Collection: Real-time telemetry using eBPF probes for resource monitoring and anomaly detection.

📌Note: Virtual Machines, Bare-Metal machines, Edge Devices will be used interchangeably in this document.

KVMService can either run as:

1. K8s service + operator in K8s based control plane to support hybrid deployments
2. Directly on VM/Bare-metal as systemd process to support VM / Baremetal only deployments

🗙

Hybrid Cloud Security

Amazon EKS Hybrid Nodes Security with KubeArmor

Learn More

Hybrid Deployments

A deployment might have workloads distributed across both K8s and non-K8s (VM-based) environments. The primary aim is to support kubearmor/cilium onboarding, policy orchestration, and observability across these environments using the same toolsets. This allows simplified management of workloads for organizations who are in the midst of migrating to K8s from VMs or for those who might rely on VMs for the foreseeable future.

Kubernetes Controller Cluster

Most enterprises now operate in hybrid cloud mode  mixing Kubernetes workloads in the cloud with persistent VMs and on-prem servers. AccuKnox’s runtime protection extends consistently across all these setups.

Whether it’s a finance team running on AWS EC2, a manufacturing cluster on-prem, or a private cloud managed via Nutanix, AccuKnox applies unified policies for every workload type.

Example: Hybrid Security in Practice

A telecom provider deployed AccuKnox across GCP and on-premise data centers, securing both Kubernetes workloads and legacy VMs hosting signaling applications. By enforcing kernel-level runtime policies via KVMService, the provider achieved:

• 40% reduction in security policy drift.
• Unified audit visibility for all runtime events.
• Compliance with zero-trust controls across cloud boundaries.

This hybrid orchestration model allows teams to manage, enforce, and observe runtime security consistently, regardless of where workloads reside.

VM and Bare-Metal-Only Security Models

For organizations running VMs or physical servers without Kubernetes, AccuKnox provides standalone deployment options that require minimal setup.Supported OS versions now include RHEL 9, Ubuntu 24.04 LTS, and Rocky Linux 9.x. Policies are managed through KVMService, deployed as a simple systemd service.

Virtual Machine / Bare Metal only Deployments

There are organizations that might not support K8s for the foreseeable future and their workloads will primarily be on cloud VMs or their own data-center VMs or even bare-] metal machines. Accuknox supports VM-only deployments with KVMService enabling runtime security with boarding, policy orchestration, and observability.

Virtual machine deployment

Additional Documents

• 📑 Deploying KubeArmor at scale on VMs using non-k8s control plane
• 📑 Google Slides for initial design discussions

Zero Trust Security for Hybrid-Cloud Workloads

Comprehensive protection across AWS, GCP, Azure, Nutanix, VMware Tanzu, and RedHat OpenShift. Seamless integration and robust security for both on-premises and public cloud infrastructures.

Protect your Workloads in Minutes

AccuKnox is available to protect your Kubernetes and other cloud workloads using Kernel Native Primitives such as AppArmor, SELinux, and eBPF

FAQ

What is runtime protection for virtual machines and bare-metal systems?

Runtime protection ensures processes and workloads remain secure after deployment by enforcing behavior-based policies and blocking unauthorized activity in real time.

How does AccuKnox use eBPF and Linux Security Modules (LSMs)?

AccuKnox leverages eBPF for observability and AppArmor or SELinux for policy enforcement to detect, limit, and respond to suspicious runtime events at the kernel level.

What is KVMService in AccuKnox?

KVMService is a control plane that manages and orchestrates security policies for virtual machines and bare-metal systems, with or without Kubernetes integration.

Can I use AccuKnox for hybrid cloud workloads?

Yes. AccuKnox provides unified policy management for hybrid environments running across AWS, GCP, Azure, and on-premises VMs or edge devices.