Skip to content

Policy using GitOps Workflow

Accknox enables DevSecOps teams to embed security policies as code into their GitOps workflow. This provides a unified, collaborative view of the policies and enables them to be shipped and deployed along with the applications they are protecting. So instead of needing to separately configure perimeter or host firewall rules, AccuKnox leverages Kubernetes to apply them at the pod and host level as deployments change.

AccuKnox uses Cilium and KubeArmor to enforce policies for Network and Application security at runtime. Both tools use either Yaml or JSON files as their policy definition language to apply rules for runtime security.

Sample Application Policy

Below is a sample KubeArmor policy that blocks access to the ptrace process:

kind: KubeArmorHostPolicy
  name: hsp-mitre-ptrace-syscall
  tags: ["MITRE", "T1055.008", "Privilege Escalation", "P-trace"]
  message: "Alert! ptrace access denied"
    matchLabels: gke-ubuntu # Change your match labels
    severity: 6
      - path: /proc/sys/kernel/yama/ptrace_scope
      - path: /etc/sysctl.d/10-ptrace.conf
    action: Block

Sample Network Policy

Below is a sample Cilium poloicy that denies access to helm tiller endpoint:

apiVersion: ""
kind: CiliumNetworkPolicy
  name: "cnp-ingress-mitre-t1210-block-helm-tiller-endpoint"
  description: "Policy to Deny Access to tiller endpoint on port 44134"
      app: test #change app: test to match your label
    - toPorts:
        - ports:
            - port: "44134"
              protocol: ANY

Note, KubeArmor provides numerous open source policy templates to help you get started with monitoring and enforcing compliance and security. To learn more about policy templates: Visit the GitHub policy template repository Examples include CIS, NIST, PCI and support, several different languages and application examples.

Back to top