Skip to content

Using Kubearmor in audit-only mode

KubeArmor allows you to specify Allow policies (aka whitelist policies). Any actions outside of these Allow policies will either be audited or blocked. Currently, the default posture is block.

The default posture can be set at:

  1. the global level
  2. at individual namespace level

Setting Global posture

Global default posture is configured using configuration options passed to KubeArmor using configuration file

defaultFilePosture: block # or audit
defaultNetworkPosture: block # or audit
defaultCapabilitiesPosture: block # or audit

Or using command line flags with the KubeArmor binary

  -defaultFilePosture string
        configuring default enforcement action in global file context [audit,block] (default "block")
  -defaultNetworkPosture string
        configuring default enforcement action in global network context [audit,block] (default "block")
  -defaultCapabilitiesPosture string
        configuring default enforcement action in global capability context [audit,block] (default "block")

Namespace Default Posture

We use namespace annotations to configure default posture per namespace. Supported annotations keys are kubearmor-file-posture,kubearmor-network-posture and kubearmor-capabilities-posture with values block or audit. If a namespace is annotated with a supported key and an invalid value ( like kubearmor-file-posture=invalid), KubeArmor will update the value with the global default posture ( i.e. to kubearmor-file-posture=block).

Example

~❯❯❯  kubectl annotate ns multiubuntu kubearmor-file-posture=audit
namespace/multiubuntu annotated
~❯❯❯  kubectl describe ns multiubuntu
Name:         multiubuntu
Labels:       kubernetes.io/metadata.name=multiubuntu
Annotations:  kubearmor-file-posture: audit
Status:       Active
Back to top