Non K8s KubeArmor Enhancements

[daemon1024]

Extending features to non-k8s

• karmor recommend for host policies and unorchestrated containers
• Dynamic configuration for default posture, visibility - #1303
  • Through kubearmor.yaml config file
  • Through new gRPC service
  • karmor commands for the same
    • Improve karmor profile for host logs
    • karmor install for VMs
    • Policy validation for non-k8s

[yp969803]

/assign

[daemon1024]

This will be part of LFX Mentorship, We will assignees through LFX/CNCF Process.

[yp969803]

@daemon1024 i am interested in the issue, can i start looking on it. Btw i am also applying for lfx term3

[daemon1024]

@yp969803 thanks for your interest. We won't accept any PRs as of now. Happy to have a discussion, would love to have a proposal included in your cover letter.

[daemon1024]

Hey Folks, Thanks for the interest in the mentorship. We have certain prerequisites which we expect to be included in your application. Please include details or reference to a document for the said prerequisite in your Cover Letter / Mail to the mentors / Submit it in the issue thread / DM Mentors in CNCF Slack by 20 August 11:59PM IST

Following are the details.

Non K8s KubeArmor Enhancements - https://mentorship.lfx.linuxfoundation.org/project/87d64083-e1fa-4aa4-a828-ca24e5ae96b3 Prerequisite:

1. Setup KubeArmor in Unorchestrated mode on a BPF LSM node - https://docs.kubearmor.io/kubearmor/quick-links/kubearmor_vm
2. Create a couple of containers using Docker on the same host
3. Write a script (preferably in Go) to extract list of containers currently running Docker API and replace the container name in the following Policy - https://github.com/kubearmor/KubeArmor/blob/main/examples/kubearmor_containerpolicy.yaml Example
   • Docker container named test
   • Generated Policy will have

   • kubearmor.io/container.name: lb
   • kubearmor.io/container.name: test

4. Apply these policies using karmor vm policy add and check violations
5. Bonus: Automatically call the function in your script to add all of these policies

Unorchestrated Containers Guide - https://github.com/kubearmor/KubeArmor/wiki/Support-for-non-orchestrated-containers