KubeArmor Support Matrix¶
KubeArmor supports following types of workloads:
1.K8s orchestrated workloads: Workloads deployed as k8s orchestrated containers. In this case, KubeArmor is deployed as a k8s daemonset. Note, KubeArmor supports policy enforcement on both k8s-pods (KubeArmorPolicy) as well as k8s-nodes (KubeArmorHostPolicy).
2.VM/Bare-Metals workloads: Workloads deployed on Virtual Machines or Bare Metal i.e. workloads directly operating as host processes. In this case, KubeArmor is deployed in systemd mode.
Kubernetes Support Matrix¶
| Provider | K8s engine | OS Image | Arch | Observability | Audit Rules | Blocking Rules | Network-Segmentation | LSM Enforcer | Remarks |
|---|---|---|---|---|---|---|---|---|---|
| Onprem | kubeadm, k0s, k3s, microk8s | Distros | x86_64, ARM |  |
|
|
|
BPFLSM, AppArmor | |
| GKE | COS | x86_64 | |
|
|
|
BPFLSM, AppArmor | All release channels | |
| GKE | Ubuntu >= 16.04 | x86_64 | |
|
|
|
BPFLSM, AppArmor | All release channels | |
| Microsoft | AKS | Ubuntu >= 18.04 | x86_64 | |
|
|
|
BPFLSM, AppArmor | |
| Oracle | OKE | UEK >=7 | x86_64 | |
|
|
|
BPFLSM | Oracle Linux Server 8.7 |
| IBM | IKS | Ubuntu | x86_64 | |
|
|
|
BPFLSM, AppArmor | |
| Talos | Talos k8s | Talos | x86_64 | |
|
|
|
BPFLSM | 1540 |
| AWS | EKS | Amazon Linux 2 (kernel >=5.8) | x86_64 | |
|
|
|
BPFLSM | |
| AWS | EKS | Ubuntu | x86_64 | |
|
|
|
AppArmor | |
| AWS | EKS | Bottlerocket | x86_64 | |
|
|
|
BPFLSM | |
| AWS | EKS-Auto-Mode | Bottlerocket | x86_64 | |
|
|
|
BPFLSM | |
| AWS | Graviton | Ubuntu | ARM | |
|
|
|
AppArmor | |
| AWS | Graviton | Amazon Linux 2 | ARM | |
|
 |
|
SELinux | |
| RedHat | OpenShift | RHEL <=8.4 | x86_64 | |
|
|
|
SELinux | |
| RedHat | OpenShift | RHEL >=8.5 | x86_64 | |
|
|
|
BPFLSM | |
| RedHat | MicroShift | RHEL >=9.2 | x86_64 | |
|
|
|
BPFLSM | |
| Rancher | RKE | SUSE | x86_64 | |
|
|
|
BPFLSM, AppArmor | |
| Rancher | K3S | Distros | x86_64 | |
|
|
|
BPFLSM, AppArmor | |
| Oracle | Ampere | UEK | ARM | |
|
|
|
SELinux | 1084 |
| VMware | Tanzu | TBD | x86_64 |  |
|
|
|
|
1064 |
| Mirantis | MKE | Ubuntu>=20.04 | x86_64 | |
|
|
|
AppArmor | 1181 |
| Digital Ocean | DOKS | Debian GNU/Linux 11 (bullseye) | x86_64 | |
|
|
|
BPFLSM | 1120 |
| Alibaba Cloud | Alibaba | Alibaba Cloud Linux 3.2104 LTS | x86_64 | |
|
|
|
BPFLSM | 1650 |
Supported Linux Distributions¶
Following distributions are tested for VM/Bare-metal based installations:
| Provider | Distro | VM / Bare-metal | Kubernetes |
|---|---|---|---|
| SUSE | SUSE Enterprise 15 | Full | Full |
| Debian | Buster / Bullseye | Full | Full |
| Ubuntu | 18.04 / 16.04 / 20.04 | Full | Full |
| RedHat / CentOS | RHEL / CentOS <= 8.4 | Full | Partial |
| RedHat / CentOS | RHEL / CentOS >= 8.5 | Full | Full |
| Fedora | Fedora 34 / 35 | Full | Full |
| Rocky Linux | Rocky Linux >= 8.5 | Full | Full |
| AWS | Amazon Linux 2022 | Full | Full |
| AWS | Amazon Linux 2023 | Full | Full |
| RaspberryPi (ARM) | Debian | Full | Full |
| ArchLinux | ArchLinux-6.2.1 | Full | Full |
| Alibaba | Alibaba Cloud Linux 3.2104 LTS 64 bit | Full | Full |
Note Full: Supports both enforcement and observability
Partial: Supports only observability
Platform I am interested is not listed here! What can I do?¶
Please approach the Kubearmor community on slack or raise a GitHub issue to express interest in adding the support.
It would be very much appreciated if you can test kubearmor on a platform not listed above and if you have access to. Once tested you can update this document and raise a PR.