Skip to content

Policy as code

Accknox uses Cilium and KubeArmor to enforce policies for Network and Application security at runtime. To that effect, both tools use Yaml or JSON files as policy templates to enforce rules for runtime security.

Sample KubeArmor Policy

Given below is a sample KubeArmor policy that allows us to enforce by blocking access to ptrace:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-mitre-ptrace-syscall
spec:
  tags : ["MITRE","T1055.008","Privilege Escalation","P-trace"]
  message: "Alert! ptrace access denied"
  nodeSelector:
    matchLabels:
      kubernetes.io/hostname: gke-ubuntu # Change your match labels
  file:
    severity: 6
    matchPaths:
    - path: /proc/sys/kernel/yama/ptrace_scope 
    - path: /etc/sysctl.d/10-ptrace.conf
    action: Block

Sample Cilium Policy

Given below is a sample Cilium poloicy that denies access to helm tiller endpoint

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "cnp-ingress-mitre-t1210-block-helm-tiller-endpoint"
spec:
  description: "Policy to Deny Access to tiller endpoint on port 44134"
  endpointSelector:
    matchLabels:
      app: test      #change app: test to match your label
  ingressDeny:
  - toPorts:
    - ports:
      - port: "44134"
        protocol: ANY

Back to top