KubeArmor is not blocking the process as expected

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.49k stars 342 forks source link

KubeArmor is not blocking the process as expected #1839

Open myugan opened 2 months ago

myugan commented 2 months ago

Bug Report

General Information

Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...): kubeadm
Kernel version (run uname -a): 6.5.0-1020-aws
Orchestration system version in use (e.g. kubectl version, ...): v1.29.5
Link to relevant artifacts (policies, deployments scripts, ...)
Target containers/pods

To Reproduce

Install KubeArmor using the Helm chart
Apply the policy below to block the sleep command. Verify that the policy is successfully applied to the respective pod using karmor probe.

cat > ksp-ubuntu-proc-block.yaml <<EOL
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-ubuntu-proc-block
  namespace: default
spec:
  message: "block /usr/bin/sleep"
  selector:
    matchLabels:
      os: ubuntu
  process:
    matchPaths:
    - path: /usr/bin/sleep
  action:
    Block
EOL

Expected behavior

KubeArmor must block any activities according to the created policy.

Screenshots

daemon1024 commented 2 months ago

Hey @myugan, Can you share how are trying to violate it and what's the output you see? The configuration looks good to me.

Additionally can you run which sleep in the ubuntu pod and check what's the binary name?

myugan commented 2 months ago

Hello @daemon1024, I have verified that the binary of sleep appears to be correct, and I even attempted to replace it with another binary file, but it did not block either. Is there a method to display the complete debug message in order to understand why it is not blocking the action according to the policy? Additionally, the output is not appearing in the karmor logs

daemon1024 commented 2 months ago

Can we check if the Pod has apparmor annotation? Can you share the Pod/Deployment spec?

myugan commented 2 months ago

There is no annotation in the pod. Here is the manifest file.

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    os: ubuntu
spec:
  containers:
  - image: ubuntu
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: ubuntu
  restartPolicy: Always

I have checked the Pod annotation, and it says the policy is enabled as well.

...[SNIP]...
    cni.projectcalico.org/containerID: 08d1ca3a983909decb7b3a73c041105a48b6fbc70fdc69311acca739be8033ba
    cni.projectcalico.org/podIP: 192.168.94.9/32
    cni.projectcalico.org/podIPs: 192.168.94.9/32
    kubearmor-policy: enabled
    kubearmor-visibility: process,file,network,capabilities

sh1nnyboy commented 1 month ago

Got the same issue, any idea @daemon1024 ?

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-ubuntu-net-icmp-block
  namespace: default
spec:
  selector:
    matchLabels:
      os: ubuntu-util
  network:
    matchProtocols:
    - protocol: icmp
  action:
    Block

TheWeak3stLink commented 3 days ago

It seems like you have kubearmor in audit mode, not block. I'm my case I'm having the same issue, but I configured the policy in block mode using annotations:

Policy definiton:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-mysql-block
  namespace: default
spec:
  message: "Block /var/lib/mysql/"
  severity: 5
  selector:
    matchLabels:
      name: mysql-pod
  file:
    matchDirectories:
    - dir: /var/lib/mysql/
      recursive: true
  action:
    Block

Karmor probe output:

But I'm able to create files under /var/lib/mysql/ without being blocked.