Skip to content

Community curated list of System and Network policy templates for the KubeArmor and Cilium

License

Notifications You must be signed in to change notification settings

rohitrishim/policy-templates

 
 

Repository files navigation

Policies Libraries

A community-owned library of Kubernetes System and Network policies

Build Status Slack Discussions Contributions


Policy Templates overview

Please follow the hierarchy while contribution

.
├── mitre
│   ├── network
│   │   └── cnp-firewall-world-block.yaml
│   ├── system
│   │   └── ksp-postgres-allow.yaml
│   │   └── ksp-privilage-pod-block.yaml
├── pci-dss
│   ├── network
│   │   └── cnp-cardholder-data-block.yaml
│   ├── system
│   │   └── ksp-protect-cardholder-data-audit.yaml
├── nist
│   ├── network
│   │   └── cnp-account-management-block.yaml
│   ├── system
│   │   └── ksp-remote-file-copy-block.yaml
│   │   └── ksp-active-directory-audit.yaml
├── cves
│   ├── network
│   │   └── cnp-CVE-2009-0932.yaml
│   ├── system
│   │   └── ksp-CVE-2021-29156.yaml
│   │   └── ksp-CVE-2021-29442.yaml
├── cis
│   ├── system
│   │   └── hsp-scheduler-pod-block.yaml
...

📖 Documentation

Please navigate to https://kubearmor.gitbook.io for detailed documentation to deploy KubeArmor and create own custom templates. We have also added a set of templates to help you understand how things work.

💪 Contributions

Policy-templates is powered by major contributions from the community and an initiative from AccuKnox. Refer Contribution for more info

💬 Discussion

Got questions / doubts / ideas to discuss? Feel free to open a discussion on Github discussions board.

👨‍💻 Test it yourself

Assuming cluster is configured, this can be verified via using kubectl config current-context command. If not follow this

Step #1: Download and install karmor CLI binary on your local machine

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Step #2: Install KubeArmor using karmor CLI tool

karmor install

Step #3: Deploy sample application on configured cluster, we'll use nginx as deployment here

kubectl apply -f https://k8s.io/examples/application/deployment.yaml
kubectl get pods -l app=nginx

Step #4: Applying MITRE Policy to block system owner discovery command

kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/main/mitre/system/ksp-mitre-system-owner-user-discovery.yaml

Step #05: Checking if system owner command is Blocked or not

kubectl exec -it --namespace default nginx-deployment-xxxxxxxxxx-xxxxx -- bash
root@nginx-deployment-687d8556b7-8wjmj:/# whoami
bash: /usr/bin/whoami: Permission denied

Replace nginx-deployment-xxxxxxxxxx-xxxxx with pod name from Step #3.
We can see the command didn't executed and instead we got Permission denied

Step #6: Getting telemetry/alerts for KubeArmor

kubectl port-forward -n kube-system svc/kubearmor 32767:32767

Keep this terminal open, and in another terminal type

karmor log

About

Community curated list of System and Network policy templates for the KubeArmor and Cilium

Resources

License

Stars

Watchers

Forks

Packages

No packages published