kubearmor / kubearmor-client

KubeArmor cli tool aka kArmor :robot:
Apache License 2.0
34 stars 82 forks source link

Running karmor probe on operator installation throws incorrect posture values #398

Open rootxrishabh opened 7 months ago

rootxrishabh commented 7 months ago

Bug Report

General Information

To Reproduce

  1. Set default posture settings to block. image

  2. Deploy Kubearmor using helm-based local deployment. image

  3. Confirm posture settings using karmor probe. image

Expected behavior Karmor probe should confirm that Default Posture is set to block based for File, Capabilities, and Network but rather shows audit. CC @rksharma95

rksharma95 commented 7 months ago

@rootxrishabh Can you check posture values in kubearmor configmap kubearmor-config?

rootxrishabh commented 7 months ago

The configmap does show up the values as intended. However, kubearmor-config does set posture settings globally and should block all activity related to file, process, and network globally, right? image

rksharma95 commented 7 months ago

@rootxrishabh yes you're right, global posture should be set to block for process, file and network. have you tested the enforcement with an allow based policy?

rootxrishabh commented 7 months ago

Ok so it looks like the posture settings are working well! Policy applied: `apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-ubuntu-5-net-tcp-allow-curl namespace: default
spec: severity: 8 selector: matchLabels: app: nginx
network: matchProtocols:

Result - root@nginx-85b98978db-mpjxz:/# curl google.com curl: (6) Could not resolve host: google.com

So I guess karmor probe needs to be tweaked when working with operator-based deployment.

rootxrishabh commented 7 months ago

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

rksharma95 commented 7 months ago

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

yes default posture comes into picture with a allow based policy, ref: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/default_posture.md

rootxrishabh commented 7 months ago

Thanks @rksharma95, will be opening an issue at kubearmor-client for the probe info.