KubeArmor Support Matrix
KubeArmor supports following types of workloads:
1.K8s orchestrated workloads: Workloads deployed as k8s orchestrated containers. In this case, KubeArmor is deployed as a k8s daemonset. Note, KubeArmor supports policy enforcement on both k8s-pods (KubeArmorPolicy) as well as k8s-nodes (KubeArmorHostPolicy).
2.VM/Bare-Metals workloads: Workloads deployed on Virtual Machines or Bare Metal i.e. workloads directly operating as host processes. In this case, KubeArmor is deployed in systemd mode.
Kubernetes Support Matrix¶
Provider | K8s engine | OS Image | Arch | Observability | Audit Rules | Blocking Rules | Network-Segmentation | LSM Enforcer | Remarks |
---|---|---|---|---|---|---|---|---|---|
Onprem | kubeadm, k0s, k3s, microk8s | Distros | x86_64, ARM | BPFLSM, AppArmor | |||||
GKE | COS | x86_64 | BPFLSM, AppArmor | All release channels | |||||
GKE | Ubuntu >= 16.04 | x86_64 | BPFLSM, AppArmor | All release channels | |||||
Microsoft | AKS | Ubuntu >= 18.04 | x86_64 | BPFLSM, AppArmor | |||||
Oracle | OKE | UEK >=7 | x86_64 | BPFLSM | Oracle Linux Server 8.7 | ||||
IBM | IBM k8s Service | Ubuntu | x86_64 | BPFLSM, AppArmor | |||||
AWS | EKS | Amazon Linux 2 (kernel >=5.8) | x86_64 | BPFLSM | |||||
AWS | EKS | Amazon Linux 2 (kernel <=5.4) | x86_64 | SELinux | |||||
AWS | EKS | Ubuntu | x86_64 | AppArmor | |||||
AWS | EKS | Bottlerocket | x86_64 | BPFLSM | |||||
AWS | Graviton | Ubuntu | ARM | AppArmor | |||||
AWS | Graviton | Amazon Linux 2 | ARM | SELinux | |||||
RedHat | OpenShift | RHEL <=8.4 | x86_64 | SELinux | |||||
RedHat | OpenShift | RHEL >=8.5 | x86_64 | BPFLSM | |||||
RedHat | MicroShift | RHEL >=9.2 | x86_64 | BPFLSM | |||||
Rancher | RKE | SUSE | x86_64 | BPFLSM, AppArmor | |||||
Rancher | K3S | Distros | x86_64 | BPFLSM, AppArmor | |||||
Oracle | Ampere | UEK | ARM | SELinux | 1084 | ||||
VMware | Tanzu | TBD | x86_64 | 1064 | |||||
Mirantis | MKE | Ubuntu>=20.04 | x86_64 | AppArmor | 1181 | ||||
Digital Ocean | DOKS | Debian GNU/Linux 11 (bullseye) | x86_64 | BPFLSM | 1120 | ||||
Alibaba Cloud | Alibaba | Alibaba Cloud Linux 3.2104 LTS | x86_64 | BPFLSM | 1650 |
Supported Linux Distributions¶
Following distributions are tested for VM/Bare-metal based installations:
Provider | Distro | VM / Bare-metal | Kubernetes |
---|---|---|---|
SUSE | SUSE Enterprise 15 | Full | Full |
Debian | Buster / Bullseye | Full | Full |
Ubuntu | 18.04 / 16.04 / 20.04 | Full | Full |
RedHat / CentOS | RHEL / CentOS <= 8.4 | Full | Partial |
RedHat / CentOS | RHEL / CentOS >= 8.5 | Full | Full |
Fedora | Fedora 34 / 35 | Full | Full |
Rocky Linux | Rocky Linux >= 8.5 | Full | Full |
AWS | Amazon Linux 2022 | Full | Full |
AWS | Amazon Linux 2023 | Full | Full |
RaspberryPi (ARM) | Debian | Full | Full |
ArchLinux | ArchLinux-6.2.1 | Full | Full |
Alibaba | Alibaba Cloud Linux 3.2104 LTS 64 bit | Full | Full |
Note Full: Supports both enforcement and observability
Partial: Supports only observability
Platform I am interested is not listed here! What can I do?¶
Please approach the Kubearmor community on slack or raise a GitHub issue to express interest in adding the support.
It would be very much appreciated if you can test kubearmor on a platform not listed above and if you have access to. Once tested you can update this document and raise a PR.