Open tesla59 opened 1 month ago
Tried reproducing the error, but HSP enforcement works on my machine with:
navin@localhost:~> uname -a
Linux localhost.localdomain 6.9.1-1-default #1 SMP PREEMPT_DYNAMIC Fri May 17 11:59:46 UTC 2024 (0c0b0b5) x86_64 x86_64 x86_64 GNU/Linux
OS - openSUSE Tumbleweed
Running kubectl version
outputs:
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.4+k3s1
Applied the policy:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-sleep
spec:
nodeSelector:
matchLabels:
kubernetes.io/os: linux
process:
matchPaths:
# - path: /usr/bin/pacman
- path: /usr/bin/sleep
action:
Block
Result:
bash: /usr/bin/sleep: Permission denied
Kubearmor logs of kubearmor-bpf-containerd
pod:
2024-05-24 05:35:30.768729 INFO Detected a Host Security Policy (added/hsp-sleep)
2024-05-24 05:35:30.768783 INFO Updating host rules
2024-05-24 05:35:30.768801 INFO Creating inner map for host
2024-05-24 05:35:42.621256 INFO Detected a Host Security Policy (deleted/hsp-sleep)
2024-05-24 05:35:42.621295 INFO Updating host rules
2024-05-24 05:35:42.621327 INFO Deleting inner map for host
I think that narrows down the bug to Arch Linux only since both runs are on same kernel version and same cluster version
@tesla59 can i know in which container you ran sleep?
@harisudarsan1 on the host itself
kubearmor can't able to enforce if it is running inside k8s cluster. So try deploying wordpress given in the examples directory in the kubearmor repo and check whether it is enforcing or no and also check karmor probe if policy is listed or not.
We discussed this further on slack - ref. This can be reproduced consistently with non-operator Kubernetes installation in environment which doesn't have neither apparmor
nor selinux
in the list of LSMs i.e. the output of LSM file looks like below
$ cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,bpf
For context - kubearmor-policy annotation is set at the node level to determine if the node has an LSM present and if enforcement is possible using it.
In KubeArmor we check for this condition here and you'll notice that there is no check for BPF LSM. So on systems which don't have apparmor, the annotation would be set to audited and application of policy will be skipped by KubeArmor based on this condition.
Things we need to fix are:
Can confirm. The machine which the kubearmor is running on has active bpf but not apparmor
~/ cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,bpf
Bug Report
General Information
uname -a
):kubectl version
, ...)To Reproduce
Started a k3s cluster using
Installed KubeArmor using
Enabled Host Visbility by editing the kubearmor daemonset (ref)
Annotated the node using
Confirmed both of them (Step 3 and Step 4) are using
and
Applied the above mentioned policy using
kubectl apply -f
Ran the commands mentioned in the policy
Expected behavior
The execution of command
pacman
andsleep
should be blocked and shown asPermission denied command terminated with exit code 126
Additional Info
k logs kubearmor-jz644 -n kubearmor
, it showsI t detects the policy but does not update it. In case of container enforcement, we see the following logs
karmor probe
Found KubeArmor running in Kubernetes
Daemonset : kubearmor Desired: 1 Ready: 1 Available: 1
Deployments : kubearmor-operator Desired: 1 Ready: 1 Available: 1
kubearmor-relay Desired: 1 Ready: 1 Available: 1
kubearmor-controller Desired: 1 Ready: 1 Available: 1
Containers : kubearmor-operator-5878ff8b8b-gkqk8 Running: 1 Image Version: kubearmor/kubearmor-operator:v1.3.4
kubearmor-relay-85646db78c-zqnvj Running: 1 Image Version: kubearmor/kubearmor-relay-server:latest
kubearmor-controller-78b5859c9f-8tjk4 Running: 2 Image Version: kubearmor/kubearmor-controller:latest
kubearmor-jz644 Running: 1 Image Version: kubearmor/kubearmor:stable
Node 1 : OS Image: Arch Linux
Kernel Version: 6.9.1-arch1-1
Kubelet Version: v1.29.4+k3s1
Container Runtime: docker://26.1.3
Active LSM: BPFLSM
Host Security: true
Container Security: true
Container Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: process,file,network,capabilities
Armored Up pods : +-----------+--------------------------------+-----------------------------------+------------------------+-----------+ | NAMESPACE | DEFAULT POSTURE | VISIBILITY | NAME | POLICY | +-----------+--------------------------------+-----------------------------------+------------------------+-----------+ | default | File(audit), | process,file,network,capabilities | nginx-7854ff8877-7pzvx | ksp-nginx | | | Capabilities(audit), Network | | | | | | (audit) | | | | +-----------+--------------------------------+-----------------------------------+------------------------+-----------+
kubectl exec -it $POD -- bash -c "apt update && apt install masscan"
bash: line 1: /usr/bin/apt: Permission denied command terminated with exit code 126