A community-owned library of Kubernetes System and Network policies
Please follow the hierarchy while contribution
.
├── mitre
│ ├── network
│ │ └── cnp-firewall-world-block.yaml
│ ├── system
│ │ └── ksp-postgres-allow.yaml
│ │ └── ksp-privilage-pod-block.yaml
├── pci-dss
│ ├── network
│ │ └── cnp-cardholder-data-block.yaml
│ ├── system
│ │ └── ksp-protect-cardholder-data-audit.yaml
├── nist
│ ├── network
│ │ └── cnp-account-management-block.yaml
│ ├── system
│ │ └── ksp-remote-file-copy-block.yaml
│ │ └── ksp-active-directory-audit.yaml
├── cves
│ ├── network
│ │ └── cnp-CVE-2009-0932.yaml
│ ├── system
│ │ └── ksp-CVE-2021-29156.yaml
│ │ └── ksp-CVE-2021-29442.yaml
├── cis
│ ├── system
│ │ └── hsp-scheduler-pod-block.yaml
...
Please navigate to https://kubearmor.gitbook.io for detailed documentation to deploy KubeArmor and create own custom templates. We have also added a set of templates to help you understand how things work.
Policy-templates is powered by major contributions from the community and an initiative from AccuKnox. Refer Contribution for more info
Got questions / doubts / ideas to discuss? Feel free to open a discussion on Github discussions board.
Assuming cluster is configured, this can be verified via using
kubectl config current-context
command. If not follow this
Step #1: Download and install karmor
CLI binary on your local machine
curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
Step #2: Install KubeArmor using karmor
CLI tool
karmor install
Step #3: Deploy sample application on configured cluster, we'll use nginx
as deployment here
kubectl apply -f https://k8s.io/examples/application/deployment.yaml
kubectl get pods -l app=nginx
Step #4: Applying MITRE Policy to block system owner discovery command
kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/main/mitre/system/ksp-mitre-system-owner-user-discovery.yaml
Step #05: Checking if system owner command is Blocked or not
kubectl exec -it --namespace default nginx-deployment-xxxxxxxxxx-xxxxx -- bash
root@nginx-deployment-687d8556b7-8wjmj:/# whoami
bash: /usr/bin/whoami: Permission denied
Replace
nginx-deployment-xxxxxxxxxx-xxxxx
with pod name from Step #3.
We can see the command didn't executed and instead we got Permission denied
Step #6: Getting telemetry/alerts for KubeArmor
kubectl port-forward -n kube-system svc/kubearmor 32767:32767
Keep this terminal open, and in another terminal type
karmor log