Overview

Amazon EKS Hybrid nodes (working name) brings a fully managed, cloud-consistent Kubernetes experience to customers, simplifying hybrid application delivery and standardizing operational practices across on-premises, edge, and cloud environments. With Amazon EKS, customers can use the same console, APIs, and tools they use when running workloads on AWS infrastructure. The Amazon EKS Hybrid Nodes release builds on the success of EKS by significantly simplifying the on-premises use case.

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed Kubernetes service that runs Kubernetes in the AWS cloud and on-premises data centers. In the cloud, Amazon EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure and integrations with AWS networking and security services.

What is EKS Hybrid?

Amazon EKS Hybrid is an extension of Amazon EKS, which supports the deployment and management of Kubernetes across the cloud and on-premises. EKS provides a consistent, fully supported Kubernetes solution with integrated tooling and simple deployment to AWS Outposts, virtual machines, or bare metal servers.

EKS-H nodes Use Cases

1. Deploy across hybrid environments – Manage your Kubernetes clusters and applications in hybrid environments and run Kubernetes in your data centers.
2. Model machine learning (ML) workflow – Efficiently run distributed training jobs using the latest Amazon Elastic Compute Cloud (EC2) GPU-powered instances, including Inferentia, and deploy training and inferences using Kubeflow.
3. Build and run web applications – Create applications that automatically scale up and down and run in a highly available configuration across multiple Availability Zones (AZs) with out-of-the-box networking and security integrations.

Value Proposition

The KubeArmor and EKS-H Nodes integration provides:

• Enhanced Security Posture: Runtime protection, threat detection, and compliance enforcement
• Operational Excellence: Unified policy management and native Kubernetes integration
• Cost Management: Efficient resource utilization and reduced tooling complexity

This solution enables DevSecOps teams to implement comprehensive workload security while maintaining operational efficiency across hybrid cloud environments.

What is KubeArmor?

• KubeArmor is an open-source application firewalling solution built for Cloud Native workloads. https://github.com/kubearmor/KubeArmor 
• KubeArmor uses Linux Security Modules (LSMs – AppArmor or SELinux to enforce application security), Syscall Filtering, and soon eBPF LSMs to support hardening of a given process or container while interacting with the host, resources, or other processes locally or across the network.
• Additionally, KubeArmor produces alert logs for policy violations that happen in containers by monitoring the operations of containers’ processes using its eBPF-based system monitor.
• KubeArmor allows operators to define security policies based on Kubernetes metadata and simply apply them to Kubernetes.
• Additionally, KubeArmor supports virtual machine and bare-metal workloads at this moment

KubeArmor Architecture

Install the KubeArmor EKS add-on on Amazon EKS

From AWS Console

Once you’ve subscribed to KubeArmor on AWS Marketplace and completed the on-screen setup, you’ll be directed to the Amazon EKS console. To begin in the Amazon EKS console, navigate to your EKS clusters and click on the “Add-ons” tab. From there, select “Get more add-ons” to locate the KubeArmor EKS add-ons in the cluster settings of your existing EKS clusters. You can use the search bar to find “KubeArmor” and then follow the on-screen instructions to enable the KubeArmor add-on for your Amazon EKS cluster.

How to install KubeArmor on EKS-H Nodes

Follow these steps:

Open your workspace and execute the command below. Make sure to replace $YOUR_CLUSTER_NAME and $AWS_REGION with the actual name of your Amazon EKS cluster and its respective AWS region.

aws eks create-addon --addon-name accuknox_KubeArmor
--cluster-name $YOUR_CLUSTER_NAME --region $AWS_REGION

You’ll receive a response with information about the add-on’s status, like its name, cluster name, and version. The add-on will be in the “CREATING” status initially.

To check the installation status of the KubeArmor add-on, use the following command:

aws eks describe-addon --addon-name accuknox_KubeArmor
--cluster-name $YOUR_CLUSTER_NAME --region $AWS_REGION

Once the add-on becomes active, its status will change to “ACTIVE.” This command will provide details similar to those in the response above, including the status, version, and creation date.

To disable the KubeArmor add-on, you can execute the following command from AWS CLI

aws eks delete-addon --addon-name accuknox_KubeArmor
--cluster-name $YOUR_CLUSTER_NAME --region $AWS_REGION

To Install KubeArmor from the marketplace visit: KubeArmor-EKS-add-on

Why is it important to protect pods?

Typically, a k8s pod is the entity that’s reachable from an external world possibly through an ingress controller. Thus, if the workload or an application within the pod is vulnerable, it has higher chances of getting compromised. The host may subsequently be compromised if the attacker can leverage a container escape. However, the pod itself has attack vectors that an attacker can leverage to do lateral movements or to exfiltrate the data.

To quote NSA-CISA K8s Hardening Guide:

“Applications running inside the cluster are common targets. They are frequently accessible outside of the cluster, making them reachable by remote cyber actors. An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources.”

In the AWS Shared Responsibility Model, the pods and application security falls within the scope of the customer who installs the workloads. KubeArmor provides a way to harden the pods just the way the hosts and nodes have been hardened for decades.

KubeArmor policies are enforced at runtime after the workloads are deployed and are executing. The KubeArmor policy management should be handled in similar ways, in which one handles network policies that are also enforced at runtime.

Real-world use case

The alpine image used as a base image in many of the containerized workloads is shipped with /sbin/apk binary, which is essentially a package management tool. It’s possible that new binaries are installed using tools that can increase the attack surface within the pods. In the production environment, it’s best to disable execution of these tools. KubeArmor reduces the attack surface area by blocking execution of such binaries.

The following example policy shows you how to do this:

Another example implementation is when you deploy any pod in your k8s cluster, because that pod is mounted by default with a service account token at path /var/run/secrets/kubernetes.io/serviceaccount even if none of the applications require access to it within the pod. Attackers can leverage tokens to access k8s api-server to move laterally within the structure.

To quote NSA-CISA K8s Hardening Guide in the context:

“By default, Kubernetes automatically provisions a service account when creating a Pod and mounts the account’s secret token within the Pod at runtime. Many containerized applications do not require direct access to the service account as Kubernetes orchestration occurs transparently in the background. If an application is compromised, account tokens in Pods can be gleaned by cyber actors and used to further compromise the cluster.”

KubeArmor provides a way to restrict access to service account token paths within the pod by disabling access to it.

Conclusion

You can use Amazon Linux 2023, Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, or Red Hat Enterprise Linux (RHEL) 8 and 9 as the node operating system for your hybrid nodes. AWS supports the hybrid nodes integration with these operating systems but doesn’t provide support for the operating systems themselves. You’re responsible for operating system provisioning and management.

Let us know if you are seeking additional guidance in planning your cloud security program.