KubeArmor
KubeArmor copied to clipboard
kubearmor
Host policy Matchpatterns logs
Bug Report
General Information
- Environment description (GKE)
- Kernel version (Linux cs-143956293394-default-default-5p8pf 5.10.68+ #1 SMP Wed Dec 1 10:07:21 UTC 2021 x86_64 GNU/Linux)
- Orchestration system version in use (Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1302", GitCommit:"639f3a74abf258418493e9b75f2f98a08da29733", GitTreeState:"clean", BuildDate:"2021-10-21T21:35:48Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"})
To Reproduce
- Make a Kubearmor host policy with matchpatterns
- apply that policy
- execute that node to test policy
- In another terminal check for kubearmor logs
- All commands will block as expected as we applied the policy before but in another terminal logs will not come
Expected behavior
After applying the policy logs should come for the command that is blocked.
Screenshots
I don't think it's a bug, Can you elaborate more on this issue?. It is working fine in my case.
Have you tried forwarding port from kubectl ?
kubectl port-forward -n kube-system svc/kubearmor 32767:32767cc @nyrahul @nam-jaehyun
This seems to be a bug.
If I apply following policy:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: autopol-system-4153385364
namespace: explorer
spec:
severity: 1
selector:
matchLabels:
container: knoxautopolicy
process:
matchPaths:
- path: /**/chmod
action: Block
The policy is enforced and the execution of chmod is blocked. However, the alerts are not sent.
If I simply change the - path: /**/chmod to - path: /usr/bin/chmod, the alerts work as expected. Hence confirming this as an issue.
I would like to work on this issue , being somewhat new to the library, could someone guide me through the file structure or rather the file which I should be looking into for a possible fix ? @nyrahul
Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ?
or the issue is with KubeArmorHostPolicy and not the KubeArmorPolicy
Hey @nyrahul, I applied your above policy. It is getting blocked and I'm also getting the alerts. Is this issue fixed ? or the issue is with
KubeArmorHostPolicyand not theKubeArmorPolicy
I havent tried. However, there were some fixes made in the context. Not sure if it fixed it.
Can you try karmor install --image kubearmor/kubearmor:v0.3 and check if the same scenario works with this image? It should not.
yes, I tried installing v0.3 version and can confirm that it is not working. By kubearmor/kubearmor:stable we mean the latest release version of KubeArmor right?
It would be difficult to support policy matching with rules having regex, globbing patterns. This is especially difficult to handle with BPF-LSM based enforcer since matching based on globbing patterns using constrained ebpf instruction set is not possible. We will have to redefine the problem statement.
I would suggest making the change in the spec to something like this:
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: autopol-system-4153385364
namespace: explorer
spec:
severity: 1
selector:
matchLabels:
container: knoxautopolicy
process:
matchPaths:
- endswith: /chmod # Block all bins ending with /chmod
- startswith: /bin/ # Block all bins in the /bin dir
- contains: chmod # Block all bins containing chmod in their full path
action: Block