Open bestgaurav opened 2 years ago
I don't think it's a bug, Can you elaborate more on this issue?. It is working fine in my case.
Have you tried forwarding port from kubectl ?
kubectl port-forward -n kube-system svc/kubearmor 32767:32767
cc @nyrahul @nam-jaehyun
This seems to be a bug.
If I apply following policy:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: autopol-system-4153385364
namespace: explorer
spec:
severity: 1
selector:
matchLabels:
container: knoxautopolicy
process:
matchPaths:
- path: /**/chmod
action: Block
The policy is enforced and the execution of chmod is blocked. However, the alerts are not sent.
If I simply change the - path: /**/chmod
to - path: /usr/bin/chmod
, the alerts work as expected. Hence confirming this as an issue.
I would like to work on this issue , being somewhat new to the library, could someone guide me through the file structure or rather the file which I should be looking into for a possible fix ? @nyrahul
Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ?
or the issue is with KubeArmorHostPolicy
and not the KubeArmorPolicy
Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ? or the issue is with
KubeArmorHostPolicy
and not theKubeArmorPolicy
I havent tried. However, there were some fixes made in the context. Not sure if it fixed it.
Can you try karmor install --image kubearmor/kubearmor:v0.3
and check if the same scenario works with this image? It should not.
yes, I tried installing v0.3
version and can confirm that it is not working. By kubearmor/kubearmor:stable
we mean the latest release version of KubeArmor right?
It would be difficult to support policy matching with rules having regex, globbing patterns. This is especially difficult to handle with BPF-LSM based enforcer since matching based on globbing patterns using constrained ebpf instruction set is not possible. We will have to redefine the problem statement.
I would suggest making the change in the spec to something like this:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: autopol-system-4153385364
namespace: explorer
spec:
severity: 1
selector:
matchLabels:
container: knoxautopolicy
process:
matchPaths:
- endswith: /chmod # Block all bins ending with /chmod
- startswith: /bin/ # Block all bins in the /bin dir
- contains: chmod # Block all bins containing chmod in their full path
action: Block
Bug Report
General Information
To Reproduce
Expected behavior
After applying the policy logs should come for the command that is blocked.
Screenshots