Comments (7)
@rootxrishabh yes you're right, global posture should be set to block
for process, file and network. have you tested the enforcement with an allow based policy?
from kubearmor-client.
Ok so it looks like the posture settings are working well!
Policy applied:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-ubuntu-5-net-tcp-allow-curl namespace: default spec: severity: 8 selector: matchLabels: app: nginx network: matchProtocols: - protocol: tcp fromSource: - path: /usr/bin/curl action: Allow
Result -
root@nginx-85b98978db-mpjxz:/# curl google.com curl: (6) Could not resolve host: google.com
So I guess karmor probe
needs to be tweaked when working with operator-based deployment.
from kubearmor-client.
One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?
yes default posture comes into picture with a allow based policy, ref: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/default_posture.md
from kubearmor-client.
Thanks @rksharma95, will be opening an issue at kubearmor-client for the probe info.
from kubearmor-client.
@rootxrishabh Can you check posture values in kubearmor configmap kubearmor-config
?
from kubearmor-client.
The configmap does show up the values as intended. However, kubearmor-config does set posture settings globally and should block all activity related to file, process, and network globally, right?
from kubearmor-client.
One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?
from kubearmor-client.
Related Issues (20)
- [Bug] Karmor logs sometimes not showing syscall events HOT 1
- [feat] Improving Broken-link-check scope HOT 3
- Update Long description for karmor install HOT 3
- `--save` command is broken in karmor profile HOT 2
- karmor probe panic HOT 2
- `karmor install --env=generic --save` should work without kubernetes cluster access HOT 4
- karmor install percentage completion showing more than 100% HOT 4
- update `karmor install` to deploy kubearmor-relay sa and associated rbac policies for kubearmor relay HOT 4
- Karmor probe not showing armored pods
- add instructions to verify the tarballs using cosign HOT 3
- Install karmor without `sudo` HOT 4
- fix scorecard github action HOT 2
- fix renovate go.sum updates HOT 2
- `karmor uninstall` should remove annotations/policies by default HOT 1
- Improve `karmor probe` error handling HOT 1
- JSON output from `karmor logs --json` is not beautified HOT 7
- `karmor sysdump` should contain logs from all pods with `kubearmor-app` label HOT 1
- Show current status of daemonset in `karmor install` HOT 2
- `karmor recommend` doesn't recommend all expected policies with Docker v26 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubearmor-client.