Skip to content

KubeArmor on VM/Bare-Metal

KubeArmor is a Runtime Security engine that can protect your applications from unknown threats.

This recipe explains how to use KubeArmor directly on VM/Bare-Metal host and was tested on Ubuntu hosts. The recipe installs kubearmor as systemd process and karmor cli tool to manage policies and show alerts/telemetry.

Download and Install KubeArmor

  1. Install pre-requisites

    sudo apt update && sudo apt upgrade \
    sudo apt install bpfcc-tools linux-headers-$(uname -r) \
    sudo apt install make libelf-dev llvm clang linux-headers-generic
    
    Install any of the following packages for bpf-tool depending on your system environment.
    sudo apt install linux-intel-iotg-5.15-tools-common
    sudo apt install linux-oem-5.6-tools-common
    sudo apt install linux-tools-common
    sudo apt install linux-iot-tools-common
    sudo apt install linux-tools-gcp
    sudo apt install linux-cloud-tools-gcp
    

  2. To install Kubearmor copy the whole commands and run it:\

    curl -s https://api.github.com/repos/kubearmor/KubeArmor/releases/latest \
    | grep "browser_download_url.*deb" \
    | cut -d : -f 2,3 \
    | tr -d \" \
    | wget -qi -
    sudo dpkg -i kubearmor_*_linux-amd64.deb
    

Start KubeArmor

sudo systemctl enable kubearmor && sudo systemctl start kubearmor

Check kubearmor status using sudo systemctl status kubearmor or use sudo journalctl -u kubearmor -f to continuously monitor kubearmor logs.

Apply sample policy

Following policy is to deny execution of sleep binary on the host:

sleepdenypolicy.yaml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-kubearmor-dev-proc-path-block
spec:
  process:
    matchPaths:
    - path: /usr/bin/sleep # try sleep 1
  action:
    Block

Save the above policy to sleepdenypolicy.yaml

To install karmor cli tool:

curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
Then apply policy:
karmor vm policy add sleepdenypolicy.yaml

Now if you run sleep command, the process would be denied execution.

Get Alerts for policies and telemetry

karmor log --json
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
{
  "Timestamp": 1639803960,
  "UpdatedTime": "2021-12-18T05:06:00.077564Z",
  "ClusterName": "Default",
  "HostName": "pandora",
  "HostPID": 3390423,
  "PPID": 168556,
  "PID": 3390423,
  "UID": 1000,
  "PolicyName": "hsp-kubearmor-dev-proc-path-block",
  "Severity": "1",
  "Type": "MatchedHostPolicy",
  "Source": "zsh",
  "Operation": "Process",
  "Resource": "/usr/bin/sleep",
  "Data": "syscall=SYS_EXECVE",
  "Action": "Block",
  "Result": "Permission denied"
}
Back to top