Running karmor probe on operator installation throws incorrect posture values about kubearmor-client HOT 7 OPEN

@rootxrishabh yes you're right, global posture should be set to block for process, file and network. have you tested the enforcement with an allow based policy?

from kubearmor-client.

Ok so it looks like the posture settings are working well!
Policy applied:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-ubuntu-5-net-tcp-allow-curl namespace: default spec: severity: 8 selector: matchLabels: app: nginx network: matchProtocols: - protocol: tcp fromSource: - path: /usr/bin/curl action: Allow

Result -
root@nginx-85b98978db-mpjxz:/# curl google.com curl: (6) Could not resolve host: google.com

So I guess karmor probe needs to be tweaked when working with operator-based deployment.

from kubearmor-client.

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

yes default posture comes into picture with a allow based policy, ref: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/default_posture.md

from kubearmor-client.

Thanks @rksharma95, will be opening an issue at kubearmor-client for the probe info.

from kubearmor-client.

@rootxrishabh Can you check posture values in kubearmor configmap kubearmor-config?

from kubearmor-client.

The configmap does show up the values as intended. However, kubearmor-config does set posture settings globally and should block all activity related to file, process, and network globally, right?

from kubearmor-client.

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

from kubearmor-client.