KubeArmor
Search…
Security Policy Examples for Hosts
Here, we demonstrate how to define host security policies.
  • Process Execution Restriction
    • Block a specific executable (hsp-kubearmor-dev-proc-path-block.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorHostPolicy
      3
      metadata:
      4
      name: hsp-kubearmor-dev-proc-path-block
      5
      spec:
      6
      nodeSelector:
      7
      matchLabels:
      8
      kubernetes.io/hostname: kubearmor-dev
      9
      process:
      10
      matchPaths:
      11
      - path: /usr/bin/sleep # try sleep 1
      12
      action:
      13
      Block
      Copied!
      • Explanation: The purpose of this policy is to block the execution of '/bin/sleep' in a host whose host name is 'kubearmor-dev'. For this, we define 'kubernetes.io/hostname: kubearmor-dev' in nodeSelector -> matchLabels and the specific path ('/bin/sleep') in process -> matchPaths. Also, we put 'Block' as the action of this policy.
      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run '/bin/sleep'. You will see that /bin/sleep is blocked.
  • File Access Restriction
    • Audit a critical file access (hsp-kubearmor-dev-file-path-audit.yaml)
      1
      apiVersion: security.kubearmor.com/v1
      2
      kind: KubeArmorHostPolicy
      3
      metadata:
      4
      name: hsp-kubearmor-dev-file-path-audit
      5
      spec:
      6
      nodeSelector:
      7
      matchLabels:
      8
      kubernetes.io/hostname: kubearmor-dev
      9
      file:
      10
      matchPaths:
      11
      - path: /etc/shadow # cat /etc/shadow
      12
      action:
      13
      Audit
      Copied!
      • Explanation: The purpose of this policy is to audit any file accesses to a critical file (i.e., '/etc/shadow'). Since we want to audit one critical file, we use matchPaths to specify the path of '/etc/shadow'.
      • Verification: After applying this policy, please open a new terminal (or connect to the host with a new session) and run 'sudo cat /etc/shadow'. Then, check the alert logs of KubeArmor.
Last modified 1mo ago
Export as PDF
Copy link