Add To Calender 
AccuKnox Fireside Chat: Building Runtime Security with KubeArmor
Join the AccuKnox fireside chat with Andrew Martin, Co-founder of Control Plane, and Rahul Jadhav, Co-founder, CTO, AccuKnox. Delve into the world of KubeArmor! This discourse covers the key elements of its architecture, the significance of LSMs, and how it empowers DevSecOps engineers with seamless CI/CD integration. Uncover the defense superpowers of KubeArmor’s policy engine in this hands-on video discussion. Refer to the Demo Policies in the video when in doubt.
In the latest AccuKnox Fireside Chat, the team explored the design philosophy and technical foundations behind KubeArmor, a Kubernetes-native runtime security solution designed to move beyond observability and toward prevention.
As organizations shift left and adopt microservices, the challenge isn’t just about detecting malicious behavior—it’s about stopping it before it ever happens. KubeArmor was built to fill this critical gap in runtime protection.
Born from Real-World Security Needs
KubeArmor emerged from deep expertise in networking, system-level security, and transport protocols. The team behind it conducted an extensive review of the MITRE ATT&CK framework, focusing on techniques commonly used in containerized attacks. What they found was clear: existing tools could observe, but not enforce. That’s where KubeArmor differentiates itself—inline enforcement at the kernel level, triggered before malicious activity can execute.
Consider a real-world attack where an adversary modifies the root certificate store on a container host to bypass TLS inspection. Traditional monitoring may catch this after the fact. KubeArmor, however, prevents the file from being accessed in the first place.
Why Not Just Use eBPF or Ptrace?
During the AccuKnox Fireside Chat, the conversation addressed why popular techniques like eBPF, ptrace, and LD_PRELOAD don’t go far enough—or come with significant trade-offs.
- Ptrace introduces high overhead (often 20–30%) and is too intrusive for production.
- LD_PRELOAD and glibc overrides compromise container image integrity and break compliance like FIPS.
- eBPF send_signal is reactive, not preventative. There’s a delay between detection and process termination, during which attackers can disable defenses or exfiltrate data.
Sandboxing tools like gVisor and Firecracker were also evaluated but deemed too heavy-handed, requiring major changes to host and runtime configurations.
Why KubeArmor Chose Linux Security Modules (LSMs)
The answer lies in the Linux Security Module (LSM) framework, specifically AppArmor, SELinux, and more recently, BPF-LSM. These kernel-native enforcement layers allow for pre-execution validation of system calls, meaning a process or file access attempt can be blocked before it executes.
However, LSMs are notoriously hard to manage. Misconfiguring one can crash your workload. That’s why KubeArmor abstracts these complexities using Kubernetes-native Custom Resource Definitions (CRDs) and intuitive YAML policies.
For instance, blocking package managers in a container is as simple as:
yamlCopyEditapiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: restrict-package-managers
spec:
severity: 5
selector:
matchLabels:
app: my-app
file:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/yum
action: Block
A Kubernetes-Native Architecture
KubeArmor is deployed as a DaemonSet across a Kubernetes cluster. It consists of two core engines:
- Enforcement Engine – Uses LSMs to apply inline runtime policy enforcement.
- Visibility Engine – Leverages
eBPFto observe system calls and correlate behavior with pod, container, and namespace metadata.
This tight integration with Kubernetes ensures low overhead, high fidelity, and seamless developer experience—all without modifying container images.
Beyond Kubernetes: Supporting VMs and Edge
Although KubeArmor started in Kubernetes, its reach has expanded:
- Bare Metal & VMs: Runs as a systemd process or container.
- Edge Environments: Used in projects like LF Edge Open Horizon to isolate workloads and mitigate lateral threats.
- Cloud: Compatible with distributions like AWS Bottlerocket, GKE COS, and AKS, thanks to growing support for BPF-LSM.
This flexibility makes KubeArmor ideal for hybrid, multi-cloud, and edge deployments.
Open Source at Its Core, Enterprise Ready
As highlighted in the AccuKnox Fireside Chat, KubeArmor is a CNCF Sandbox Project with a fully open-source core. The AccuKnox Enterprise Edition adds capabilities like policy discovery, GitOps integration, and multi-cluster orchestration—but the core enforcement engine remains unchanged.
Contributions to the open-source version flow directly into the enterprise release, ensuring community feedback drives real-world impact.
Final Thoughts from the AccuKnox Fireside Chat
KubeArmor is stable and ready for production today. The AccuKnox GA release is expected by year’s end, with efforts underway to simplify policy creation, automate security posture discovery, and streamline deployment.
If you’re exploring ways to implement Zero Trust security at the runtime layer, KubeArmor offers a production-grade, Kubernetes-native solution that doesn’t trade usability for security.
To get involved, visit KubeArmor on GitHub or join the Slack community. The team behind the project welcomes collaboration and feedback.
⏰Timestamps:
00:00 – Warmup
02:28 – Root Certificate Installation Discussion
05:35 – KubeArmor [Abstracting LSMs]
11:25 – KubeArmor Architectural Elements
14:39 – Demo Policies
18:18 – Why LSM Approach
22:35 – Protecting Edge Workloads
Revise AccuKnox’s CSPM features. You never know when you might need it
Top 5 AccuKnox CSPM Features and Uses
RESOURCES
💻 Learn more about AccuKnox
Contact: https://accuknox.com/contact-us
❓Get help with queries
Slack: https://kubearmor.slack.com/
💬 Follow AccuKnox on social media
LinkedIn: https://www.linkedin.com/company/accuknox/
X: https://x.com/Accuknox
✅ Subscribe to Accuknox’s YouTube channel https://www.youtube.com/channel/UCLqK