AKS icon indicating copy to clipboard operation
AKS copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Feature] add support for bpf lsm to node group kernels

Open learhy opened this issue 2 years ago • 31 comments

In other managed Kubernetes distros bpf lsm support is enabled in newer kernels (> 5.10 usually). We were hoping to see this feature enabled on the latest node pools that come standard with aks 1.25 but it doesn't look to be the case:

AKSUbuntu-2204gen2containerd-2023.02.15

/etc # cat /sys/kernel/security/lsm
lockdown,capability,landlock,yama,AppArmor

We'd love to have feature parity on Azure as this is important to our customers-- can this feature be enabled?

learhy avatar Mar 29 '23 16:03 learhy

Would love to know what the team thinks about this capability. Thanks.

learhy avatar Apr 06 '23 22:04 learhy

@justindavies we were talking about this I think? did we have an answer from LSG?

alexeldeib avatar Jun 10 '23 00:06 alexeldeib

Next to GKE and EKS, we would love to see this working for AKS as well. Is there any feedback as when that will be available for Azure customers?

msecpim avatar May 13 '24 11:05 msecpim

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Mar 25 '25 20:03 microsoft-github-policy-service[bot]

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] avatar Apr 08 '25 21:04 microsoft-github-policy-service[bot]

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs within 7 days of this comment. @allyford

microsoft-github-policy-service[bot] avatar Oct 08 '25 02:10 microsoft-github-policy-service[bot]

@allyford bpf is a very capable security feature, what are your thoughts on this?

msecpim avatar Oct 08 '25 03:10 msecpim