defenseunicorns / uds-core

A FOSS secure runtime platform for mission-critical capabilities
https://uds.defenseunicorns.com
GNU Affero General Public License v3.0
53 stars 21 forks source link

Evaluate KubeArmor as a NeuVector replacement #889

Open mjnagel opened 1 month ago

mjnagel commented 1 month ago

https://kubearmor.io/

Evaluate:

Definition of done: A scorecard evaluating the above criteria.

noahpb commented 4 weeks ago
Criteria KubeArmor NeuVector
Pros - Preemptively prevents malicious actions ("in-line mitigation") - Full end-to-end security, including runtime, network, and vulnerability protection
- CNCF project, strong open-source community - Network segmentation with zero-trust enforcement
- All rules and capabilities managed via a single Kubernetes spec - Enterprise-ready with compliance, vulnerability scanning, and firewall features
- Offers node level protection - Integrated enforcement, blocking malicious behavior in real-time
- Robust examples library
Cons - No user interface - Heavier resource consumption due to the extensive feature set
- Limited visibility out of the box - Complexity may overwhelm smaller deployments
- Security of the tool itself is still maturing (see KubeArmor/issues/1186) - Full enterprise features require a commercial version
- Stale docs across their GH repos
Community Adoption 1.5k stars, Slack channel with 100+ members, <10 known adopters, active community engagement from maintainers. Available on several CSP marketplaces. Enterprise focus, strong post-acquisition support by SUSE; less adoption in the general open-source community
Chainguard / IronBank Support Neither NeuVector is supported in IronBank (DoD-approved hardened container registry), suitable for government use
Runtime Detection Workload focused - monitors network, process, file and kernel behavior. Read more here Behavioral learning with runtime detection for container processes, files, and network traffic
Network Security Provides visibilty into network flows via discovery-engine and autogenerates least-permissive Network Policies, can monitor and prevent process network activity Provides network-layer security, including segmentation, DPI (Deep Packet Inspection), and zero-trust policies
Compliance & Vulnerability Scanning No support natively or via addon. Available via Enterprise license Built-in vulnerability scanning, compliance checks for PCI-DSS, GDPR, NIST, HIPAA
Enforcement Can Allow, Block or Audit any container file, network, process or k8s resource event Native enforcement engine to block network, process, and container-level threats in real-time
Out-of-the-Box Experience Helm chart, cli tool for bootstrapping, default configurations available on GitHub Comprehensive out-of-the-box security, with network policies, vulnerability scans, and compliance reports pre-configured
Helm / Config as Code Alignment Official Helm chart available, supports configuration via Kubernetes YAML files, easy to integrate into CI/CD pipelines Helm chart available, configuration-as-code support with advanced controls; more complex due to the breadth of features
Ease of Use / Learning Curve Policies are configurable via several CRDs. Specification is straightforward. GitHub repo offers plenty of example scenarios and use cases as well as expected alerts Steeper learning curve due to the full feature set (network, compliance, runtime) but offers behavioral learning to automate setup
Resource Consumption Minimal resource footprint (monitors syscalls), suited for resource-constrained environments. Benchmarking data available here Resource-intensive, especially with network security, DPI, and multi-layer enforcement
Integration with CI/CD No documented use cases for CI/CD, however metrics and alerts can be used to block non-conformant resources in pre-production environments Integrates well with CI/CD tools, can block non-compliant containers at runtime and during image scans
Policy Management Rule-based system, requires manual policy writing for custom security postures. Sample configurations available. Provides automatic generation of K8s NetworkPolicies Automated policy learning with ability to create manual policies, suitable for both network and runtime security
Enterprise Support / Features More features available from AccuKnox via their Cloud Workload Protection Platform CWPP Full enterprise support, including multi-cloud deployments, built-in compliance management, and security dashboards
Service Mesh Compatibility No native integration Provides strong integration with service meshes, enforcing network security and segmentation policies within service mesh traffic
Logging and Reporting Integrates with logging systems like Fluentd, ELK, and Prometheus for alerting and reporting; otel support, dashboards. Tutorial here Built-in real-time dashboards for network and runtime events; advanced reporting for compliance and threat detection
Cloud Provider Compatibility Extensive testing across multiple K8s Distros/CSPs and Host OS's Optimized for multi-cloud (AWS, GCP, Azure) and hybrid environments; certified for key public cloud providers and supports multi-cluster setups
noahpb commented 4 weeks ago

I decided to take KubeArmor for a spin because I thought the autogenerate NetworkPolicy feature would be helpful for debugging an issue I'm currently working. Their docs must be stale as this feature was removed over a year ago. Perhaps it's enterprise only now or just removed entirely. Something to be aware of when investigating other advertised features of the tool.

noahpb commented 3 weeks ago

I do like KubeArmor's abstraction of Linux Security Modules, maximizing portability across various OS's and distributions and minimizing complexity. Read more here.