kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.45k stars 335 forks source link

Performance benchmarking of KubeArmor #995

Open Shreyas220 opened 1 year ago

Shreyas220 commented 1 year ago

Aim

The aim of performance test is to Check impact of kubearmor on existing app.

Platform

AKS

Workloads
[ ] Redis

Showcase the impact on performance due to kubearmor use.
[ ] Application Baseline performance without kubearmor installed
[ ] Performance impact with KubeArmor just installed but no policies
[ ] Performance impact with KubeArmor with auto-discovered policy deployed

Shreyas220 commented 1 year ago

Initial Result of Benchmarking Redis link to sheet

nyrahul commented 1 year ago

Performance Requirements based on the discussion today:

Ability to enable/disable visibility at host, namespace, deployment level.
Ability to enable/disable visibility at operation level: Process/Network/File/Capability.
Drop the filtered events in kernel space
If I have an audit policy, I should receive audit events even if visibility is disabled.
Lost events notifications.
Ability to enable/disable visibility at runtime using annotations.

CC: @achrefbensaad

kubearmor / KubeArmor

Performance benchmarking of KubeArmor #995

Aim

Platform

Workloads

Showcase the impact on performance due to kubearmor use.