Using Kubearmor in audit-only mode¶
KubeArmor allows you to specify Allow policies (aka whitelist policies). Any actions outside of these Allow policies will either be audited or blocked. Currently, the default posture is block.
The default posture can be set at:
- the global level
- at individual namespace level
Setting Global posture¶
Global default posture is configured using configuration options passed to KubeArmor using configuration file
defaultFilePosture: block # or audit
defaultNetworkPosture: block # or audit
defaultCapabilitiesPosture: block # or audit
Or using command line flags with the KubeArmor binary
-defaultFilePosture string
configuring default enforcement action in global file context [audit,block] (default "block")
-defaultNetworkPosture string
configuring default enforcement action in global network context [audit,block] (default "block")
-defaultCapabilitiesPosture string
configuring default enforcement action in global capability context [audit,block] (default "block")
Namespace Default Posture¶
We use namespace annotations to configure default posture per namespace. Supported annotations keys are kubearmor-file-posture
,kubearmor-network-posture
and kubearmor-capabilities-posture
with values block
or audit
. If a namespace is annotated with a supported key and an invalid value ( like kubearmor-file-posture=invalid
), KubeArmor will update the value with the global default posture ( i.e. to kubearmor-file-posture=block
).
Example¶
~❯❯❯ kubectl annotate ns multiubuntu kubearmor-file-posture=audit
namespace/multiubuntu annotated
~❯❯❯ kubectl describe ns multiubuntu
Name: multiubuntu
Labels: kubernetes.io/metadata.name=multiubuntu
Annotations: kubearmor-file-posture: audit
Status: Active