kArmor probe utility

[daemon1024]

Utility to analyse configuration and supported KubeArmor features in the current environment

List of things to probe into

• Host Security Polices

• Pod Security Policies

• Audit Mode

• Enforcement Mode

  • AppArmor
  • SELinux
  • BPF-LSM

• Need a probe-check to see if the kernel-headers are present in the host (ref, Issue module kheaders not found in modules.dep Unable to find kernel headers.)

• Check Pods being handled about KubeArmor

• Check Which policies are applied to which pods!

[sumit-158]

Hi , I want to participate in LFX Mentorship currently I'm kinda beginners to go and k8s can you help me out how to get involved in this project or any suggestion ?

[daemon1024]

Hey @sumit-158, Thanks for the interest.

I'm kinda beginners to go and k8s can you help me out how to get involved in this project or any suggestion ?

kArmor is a helper utility to the KubeArmor project.
I would suggest going through CONTRIBUTING.md for ways to get involved and experiment with KubeArmor and kArmor meanwhile. If you have any specific queries feel free to shoot em on the KubeArmor Slack.

For

• go - https://go.dev/learn/
• kubernetes - https://gist.github.com/dims/bb219a4a8d9cb88dc2a2dc1f11a537c6#beginner-resources

are some nice resources.

[SaarthakMaini]

Hello,
I am currently a beginner in Go and Kubernetes
I would also like to contribute to the project under LFX Mentorship Program
May I also follow the above resources and apply for the project?
Thank you!

[daemon1024]

@SaarthakMaini Sure go ahead. Thank You for the interest.

[anutosh491]

Hello @daemon1024 , hope you're doing well , this is Anutosh here from India .

I'm an open source enthusiast and I am keen to take part in the LFX Mentorship program for the summer term. The project and the library interests me. But being new to the project , I would be glad if you could syggest any relevant resources/links I should be going through as a beginner for getting to know the project and the library better . Thank you !

[AnuragThePathak]

Hi, I'm Anurag Pathak, a full-stack developer and B. Tech. 2nd-year CSE student. I have been working with Kubernetes and Golang for the last 2-3 months and contributing to Brigade and Argo-workflow. While looking for some good projects which interest me, I found KubeArmor and eventually came to this issue. I would like to work on it in LFX Mentorship Summer 2022.

[SaarthakMaini]

Hello,

I have gone through the required pre-requisites and resources as stated above.
I also saw this video:

https://www.youtube.com/watch?v=A4HwqCRjyHE&t=221s

to learn about KubeArmor and eBPF

What I understand is that we have to create and change yaml files in the policy-templates repository. Am I correct?

If possible, please point me in the direction from where I could get started on this issue and what else I have to do in this exactly, and I will take it on from there

Thank you very much!

[shreemaan-abhishek]

I'm also interested in working on this project, I'm still on my way to understanding the project architecture. I had a doubt tho:

This feature will provide various information about KubeArmor like the current running mode (audit or enforcement), the enforcer used by KubeArmor (SELinux or AppArmor or BPF-LSM), whether it's running in systemd mode or on k8s, etc.

I suppose audit and enforcement are Kubernetes admission control constructs, right?

Also, the extensions that we are planning to build, are those pieces of information available for collection from KubeArmor? Or do we have to work on KubeArmor first to make such information available for the kArmor CLI?

[daemon1024]

PreInstall

$ karmor probe

**Host**
	Observability/Audit : Supported
	Enforcement: Full (Supported LSMs: apparmor)
	
**Node 1**
	Observability/Audit : Supported
	Enforcement: Partial (Supported LSMs: selinux)
	
**Node 2**
	Observability/Audit : Supported
	Enforcement: None (Supported LSMs: smack)
	
**Node 3**
	Observability/Audit : Nope ( Kernel Version < 4.14 )
	Enforcement: Full (Supported LSMs: apparmor)

KubeArmor running

• Kubernetes

$ karmor probe

Found KubeArmor running in Kubernetes

Deployment			kubearmor-relay				Desired: 1, Ready: 1/1, Available: 1/1
DaemonSet			kubearmor				Desired: 1, Ready: 1/1, Available: 1/1
Containers			kubearmor				Running: 4				<image version>
				kubearmor-relay				Running: 1				<image version>
Node 1
	OS Image: Ubuntu 18.04.5 LTS
	Kernel Version: 4.15.0-184-generic
	Kubelet Version: v1.23.3
	Container Runtime: docker://18.9.1
	Supported LSMs: capability,yama,apparmor
	
	Observability/Audit : Yes
	Host Security:           Yes
	Container Security:   Yes
	KubeArmor Posture: Block

Node 2
	OS Image: RHEL..
	Kernel Version: 4.18...
	Kubelet Version: v1.23.3
	Container Runtime: crio-o://18.9.1
	Supported LSMs: capability,yama,selinux
	
	Observability/Audit : Yes
	Host Security:           Yes
	Container Security:   No
	KubeArmor Posture: Audit

• SystemD

$ karmor probe

Found KubeArmor running in systemd mode

KubeArmor PID - 32454

Host - HostName
	OS Image: Ubuntu 18.04.5 LTS
	Kernel Version: 4.15.0-184-generic
	Container Runtime: docker://18.9.1
	Supported LSMs: capability,yama,apparmor
	
	Observability/Audit : Yes
	Host Security:           Yes
	Container Security:   Yes
	KubeArmor Posture: Block

[Essietom]

@daemon1024 I would love to pick up this issue

[daemon1024]

Partially handled in #86, More changes to follow in a seperate PR

[daemon1024]

Ref #166

[nyrahul]

Closing, since handled.