Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IBM Cloud Support #1107

Closed
4 tasks done
rksharma95 opened this issue Feb 13, 2023 · 1 comment · Fixed by #1108
Closed
4 tasks done

IBM Cloud Support #1107

rksharma95 opened this issue Feb 13, 2023 · 1 comment · Fixed by #1108
Assignees
@rksharma95
Labels
enhancement New feature or request

Comments

@rksharma95
Copy link
Collaborator

rksharma95 commented Feb 13, 2023
edited
Loading

Feature Request

Support for IBM Cloud needs to be validated. Validation has to be done for:

  • enforcement supported? What is the LSM used?
  • Audit/Observability supported
  • Paste the output of karmor probe
  • Update KubeArmor Support Matrix.
@rksharma95 rksharma95 added the enhancement New feature or request label Feb 13, 2023
@rksharma95 rksharma95 self-assigned this Feb 13, 2023
@rksharma95
Copy link
Collaborator Author

rksharma95 commented Feb 13, 2023
edited
Loading

Enforcement Supported: Yes
Audit/Observability supported: Yes
LSM Used: Apparmor

karmor probe

 
Found KubeArmor running in Kubernetes

Daemonset :
 	kubearmor 	Desired: 1	Ready: 1	Available: 1	
Deployments : 
 	kubearmor-annotation-manager 	Desired: 1	Ready: 1	Available: 1	
 	kubearmor-host-policy-manager	Desired: 1	Ready: 1	Available: 1	
 	kubearmor-policy-manager     	Desired: 1	Ready: 1	Available: 1	
 	kubearmor-relay              	Desired: 1	Ready: 1	Available: 1	
Containers : 
 	kubearmor-4z9ls                               	Running: 1	Image Version: kubearmor/kubearmor:stable               	
 	kubearmor-annotation-manager-7fc8d9b964-6nzqc 	Running: 2	Image Version: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0	
 	kubearmor-host-policy-manager-5644c558d8-r7dcb	Running: 2	Image Version: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0	
 	kubearmor-policy-manager-5cc6867465-zp5xq     	Running: 2	Image Version: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0	
 	kubearmor-relay-6fddb8865b-m2kcf              	Running: 1	Image Version: kubearmor/kubearmor-relay-server:latest  	
Node 1 : 
 	OS Image:                 	Ubuntu 18.04.6 LTS 	
 	Kernel Version:           	4.15.0-202-generic 	
 	Kubelet Version:          	v1.25.6+IKS        	
 	Container Runtime:        	containerd://1.6.15	
 	Active LSM:               	AppArmor           	
 	Host Security:            	true               	
 	Container Security:       	true               	
 	Container Default Posture:	audit(File)        	audit(Capabilities)	audit(Network)	
 	Host Default Posture:     	audit(File)        	audit(Capabilities)	audit(Network)
Armored Up pods : 
+-----------------+----------------------------+----------------------------+
|    NAMESPACE    |            NAME            |           POLICY           |
+-----------------+----------------------------+----------------------------+
| wordpress-mysql | mysql-76ddc6ddc4-zsb4m     |                            |
+                 +----------------------------+----------------------------+
|                 | wordpress-787f45786f-s2ldt | ksp-wordpress-block-config |
+-----------------+----------------------------+----------------------------+

KubeArmor Telemetry

 
root@wordpress-787f45786f-s2ldt:/var/www/html# cat /var/www/html/wp-config.php
cat: /var/www/html/wp-config.php: Permission denied

$ karmor log
local port to be used for port forwarding kubearmor-relay-6fddb8865b-m2kcf: 32767 
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2023-02-03 05:56:30.297376 ==
ClusterName: default
HostName: kube-cfctp3df0s5lt464mmq0-rjibmcluste-default-0000008a
NamespaceName: wordpress-mysql
PodName: wordpress-787f45786f-s2ldt
Labels: app=wordpress
ContainerName: wordpress
ContainerID: 39703c8ad9147ddbd18e0a96c3e76ca58833d01befd3b41f3a99175f0e23bfbb
ContainerImage: docker.io/library/wordpress:4.8-apache@sha256:6216f64ab88fc51d311e38c7f69ca3f9aaba621492b4f1fa93ddf63093768845
Type: MatchedPolicy
PolicyName: ksp-wordpress-block-config
Severity: 10
Source: /bin/cat /var/www/html/wp-config.php
Resource: /var/www/html/wp-config.php
Operation: File
Action: Block
Data: syscall=SYS_OPEN flags=O_RDONLY
Enforcer: AppArmor
Result: Permission denied
HostPID: 22635
HostPPID: 22244
PID: 198
PPID: 192
ParentProcessName: /bin/bash
ProcessName: /bin/cat

@rksharma95 rksharma95 mentioned this issue Feb 13, 2023
Merged
2 tasks
@rksharma95 rksharma95 moved this to In Progress in v0.9 backlog Feb 13, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in v0.9 backlog Feb 14, 2023
@nyrahul nyrahul mentioned this issue Mar 2, 2023
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rksharma95 rksharma95

Labels
enhancement New feature or request
Projects
No open projects
v0.9 backlog
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(support-matrix): Update Support Matrix for IBM Cloud rksharma95/KubeArmor
1 participant
@rksharma95