Policy using GitOps Workflow
Accknox enables DevSecOps teams to embed security policies as code into their GitOps workflow. This provides a unified, collaborative view of the policies and enables them to be shipped and deployed along with the applications they are protecting. So instead of needing to separately configure perimeter or host firewall rules, AccuKnox leverages Kubernetes to apply them at the pod and host level as deployments change.
AccuKnox uses Cilium and KubeArmor to enforce policies for Network and Application security at runtime. Both tools use either Yaml or JSON files as their policy definition language to apply rules for runtime security.
Sample Application Policy¶
Below is a sample KubeArmor policy that blocks access to the ptrace process:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorHostPolicy metadata: name: hsp-mitre-ptrace-syscall spec: tags: ["MITRE", "T1055.008", "Privilege Escalation", "P-trace"] message: "Alert! ptrace access denied" nodeSelector: matchLabels: kubernetes.io/hostname: gke-ubuntu # Change your match labels file: severity: 6 matchPaths: - path: /proc/sys/kernel/yama/ptrace_scope - path: /etc/sysctl.d/10-ptrace.conf action: Block
Sample Network Policy¶
Below is a sample Cilium poloicy that denies access to helm tiller endpoint:
apiVersion: "cilium.io/v2" kind: CiliumNetworkPolicy metadata: name: "cnp-ingress-mitre-t1210-block-helm-tiller-endpoint" spec: description: "Policy to Deny Access to tiller endpoint on port 44134" endpointSelector: matchLabels: app: test #change app: test to match your label ingressDeny: - toPorts: - ports: - port: "44134" protocol: ANY
Note, KubeArmor provides numerous open source policy templates to help you get started with monitoring and enforcing compliance and security. To learn more about policy templates: Visit the GitHub policy template repository Examples include CIS, NIST, PCI and support, several different languages and application examples.