search logo search cross
Schedule a demo

Struggling to find cloud security expertise?

Our dashboards correlate events across the multi cloud and on-premise, Reduce resolution time time by 95%

Start Risk Assessment

Webinar

AI-LLM-webinar-card
1/4

eBook

ebook

Get eBook worth $199 for Free

DOWNLOAD NOW
2/4

Blog

mssp

Why AccuKnox is the most MSSP Ready CNAPP?

LEARN MORE
3/4

Comparison

Comparison

Searching for Alternative CNAPP?

COMPARE NOW
4/4

KubeArmor On AWS Bottlerocket

KubeArmor provides enhanced security by using BPF-LSM to protect Bottlerocket containers from within by limiting system behavior with respect to processes, files, etc. For e.g., a k8s security access token that is mounted within the pod is accessible by default across all the containers. KubeArmor can restrict access to such tokens only for certain processes. Similarly KubeArmor can be used to protect other sensitive information e.g., k8s secrets, x509 certs, within the container.

KubeArmor on AWS Bottlerocket: Runtime Security for Modern Kubernetes Workloads

As Kubernetes adoption accelerates, organizations are faced with the growing challenge of ensuring security at both the infrastructure and application levels. This is where KubeArmor on AWS Bottlerocket steps in—a powerful synergy between a host-hardened Linux OS and a robust runtime security enforcement tool for Kubernetes workloads.

What is AWS Bottlerocket?

AWS Bottlerocket is a Linux-based operating system purpose-built by AWS for running containers. Designed with a security-first mindset, Bottlerocket minimizes the attack surface by excluding package managers and shell access by default. If an administrator needs to perform maintenance tasks, they must go through tightly controlled access mechanisms like the control or admin pods. This approach enforces immutable infrastructure principles and prevents unauthorized modifications to the system.

Bottlerocket also ensures secure updates using The Update Framework (TUF), a CNCF-graduated project. This means that the OS image and root file system are cryptographically verified before any update is applied. Moreover, with kernel features like Integrity Measurement Architecture (IMA) and dm-verity, Bottlerocket enforces file system integrity and ensures that no unauthorized process can load or unload kernel modules.

With SELinux enabled in enforcing mode, Bottlerocket builds a robust foundation of host-level security, but it leaves the security of applications and pods to be handled separately.

Why Use KubeArmor on AWS Bottlerocket?

While Bottlerocket protects the host, KubeArmor secures the pods and containers running inside Kubernetes. In most cases, applications within pods are not developed with security in mind. KubeArmor addresses this gap by reducing the attack surface within pods using fine-grained runtime policies.

For example, KubeArmor allows you to:

  • Limit which binaries or processes can be executed within a container.
  • Restrict access to sensitive file paths and directories.
  • Control which processes can make network calls or access Kubernetes service account tokens.

This is especially useful when applications ship with unnecessary tools like apt, apt-get, or apk that can be exploited in production. KubeArmor can explicitly block the execution of such binaries, even if they’re included in the container image.

Deep Runtime Policy Enforcement

KubeArmor uses eBPF-based Linux Security Modules (LSM) for policy enforcement. When a user applies a security policy, the KubeArmor DaemonSet converts it into BPF bytecode and attaches it to specific LSM hooks within the kernel. This method provides fine-grained, programmable control over system events such as file access, process execution, and network operations.

From version 0.5 onward, KubeArmor supports eBPF LSM, enabling lightweight and efficient runtime security without relying on older mechanisms like auditd, which are often disabled in security-focused operating systems like Bottlerocket.

For observability, KubeArmor also uses eBPF to generate real-time alerts and telemetry data. When a policy violation occurs—such as an unauthorized process attempting to access a Kubernetes secret—KubeArmor logs the incident with detailed context, including the exact process, file path, pod, and namespace involved.

Real-World Use Cases

Using KubeArmor on AWS Bottlerocket, security teams can implement:

  • Block policies: Prevent access to mounted Kubernetes service account tokens or the execution of dangerous binaries like apt.
  • Allow-list policies: Define which binaries are permitted to access the network or perform specific file operations, denying all others (least privilege).
  • Application-level data protection: For instance, ensuring only mysqld and mysqladmin can write to the /var/lib/mysql directory, safeguarding database integrity.

One standout feature is KubeArmor’s auto-discovery engine, which can automatically generate baseline policies based on observed container behavior, reducing the manual effort of policy creation.

The Perfect Pair: Bottlerocket + KubeArmor

In summary, AWS Bottlerocket and KubeArmor together form a comprehensive runtime security stack:

  • Bottlerocket secures the host OS, ensuring only signed and verified updates, immutable file systems, and restricted administrative access.
  • KubeArmor secures workloads, providing granular control over what each container is allowed to do at runtime.

This dual-layered approach aligns with Zero Trust principles, ensuring that both the infrastructure and the workloads themselves are locked down from potential threats.

For cloud-native organizations looking to run secure Kubernetes workloads on AWS, deploying KubeArmor on AWS Bottlerocket is a highly effective strategy to achieve end-to-end runtime protection.