Open yeranosyanvahan opened 1 month ago
Full kubernetes yaml file
apiVersion: v1
kind: Namespace
metadata:
name: kubearmor-operator
labels:
project: infra
group: operator
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: operator-kubearmor-release
spec:
repo: https://kubearmor.github.io/charts
chart: kubearmor-operator
targetNamespace: kubearmor-operator
version: 1.4.0
--- #kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml
apiVersion: operator.kubearmor.com/v1
kind: KubeArmorConfig
metadata:
labels:
app.kubernetes.io/name: kubearmorconfig
app.kubernetes.io/instance: kubearmorconfig-sample
app.kubernetes.io/part-of: kubearmoroperator
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: kubearmoroperator
name: kubearmorconfig-default
namespace: kubearmor-operator
spec:
defaultCapabilitiesPosture: audit
defaultFilePosture: audit
defaultNetworkPosture: audit
defaultVisibility: process,network
enableStdOutLogs: false
enableStdOutAlerts: false
enableStdOutMsgs: false
seccompEnabled: false
alertThrottling: false
maxAlertPerSec: 10
throttleSec: 30
kubearmorImage:
image: kubearmor/kubearmor:stable
imagePullPolicy: Always
kubearmorInitImage:
image: kubearmor/kubearmor-init:stable
imagePullPolicy: Always
kubearmorRelayImage:
image: kubearmor/kubearmor-relay-server
imagePullPolicy: Always
kubearmorControllerImage:
image: kubearmor/kubearmor-controller
imagePullPolicy: Always
---
apiVersion: v1
kind: Namespace
metadata:
name: test-wordpress-block
annotations:
kubearmor-visibility: process,file,network
kubearmor-file-posture: block
kubearmor-network-posture: block
kubearmor-capabilities-posture: block
labels:
project: block
group: wordpress
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: wordpress-testblock-release
spec:
chart: oci://registry-1.docker.io/bitnamicharts/wordpress
targetNamespace: test-wordpress-block
version: 23.1.1
set:
mariadb.enabled: "false"
service.type: ClusterIP
serviceAccount.create: "false"
# global.storageClass: host-storageclass
valuesContent: |-
replicaCount: 1
wordpressSkipInstall: false
persistence:
enabled: true
storageClass: local-path
size: 900Mi
podLabels:
test-kubarmor-policy: test-wordpress-block
startupProbe:
enabled: true
initialDelaySeconds: 600
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 9
successThreshold: 1
---
apiVersion: v1
kind: Namespace
metadata:
name: test-wordpress-block
annotations:
kubearmor-visibility: process,file,network
kubearmor-file-posture: block
kubearmor-network-posture: block
kubearmor-capabilities-posture: block
labels:
project: block
group: wordpress
---
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: test-wordpress-block-nolog
namespace: test-wordpress-block
spec:
action: Allow
message: "Doesn't generate any logs because entrypoint is blocked"
selector:
matchLabels:
test-kubarmor-policy: test-wordpress-block
process:
matchPaths:
- path: /opt/bitnami/apache/bin/httpd
---
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: test-wordpress-block-worksgreat
namespace: test-wordpress-block
spec:
action: Allow
message: "Generates logs because entrypoint is permitted"
selector:
matchLabels:
test-kubarmor-policy: test-wordpress-block
process:
matchPaths:
- path: /opt/bitnami/apache/bin/httpd
- path: /opt/bitnami/scripts/wordpress/entrypoint.sh
file:
matchDirectories:
- dir: /opt/bitnami/scripts/wordpress/entrypoint.sh
Description:
There is an issue with KubeArmor version 1.4.0 where logs are not generated for blocked processes when a namespace is configured with a default
block
posture. Logs are only generated after explicitly adding anAllow
policy for the entrypoint process.Steps to Reproduce:
Byt
Allow
policy for the entrypoint process:Allow
policy is added.** NOTE: This is the permission denied for a File, not a process, so we need to enable that as well
Now, kubearmor works as expected, because entrypoint is permitted
Expected Behavior:
KubeArmor should generate logs for blocked entrypoint process when a default block posture is applied to a namespace.
Actual Behavior:
Allow
policy for the entrypoint process.Environment: