# KubeArmor
[](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml/) [](https://bestpractices.coreinfrastructure.org/projects/5401) [](https://clomonitor.io/projects/cncf/kubearmor) [](https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor) [](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield) [](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield) [](https://cloud-native.slack.com/archives/C02R319HVL3) [](https://github.com/kubearmor/KubeArmor/discussions) [](https://hub.docker.com/r/kubearmor/kubearmor) [](https://artifacthub.io/packages/search?kind=19)
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level.
KubeArmor leverages [Linux security modules (LSMs)](https://en.wikipedia.org/wiki/Linux_Security_Modules) such as [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://docs.kernel.org/bpf/prog_lsm.html) to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.
| | |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| πͺ Harden Infrastructure
βοΈ Protect critical paths such as cert bundles
π MITRE, STIGs, CIS based rules
π
Restrict access to raw DB table
| π Least Permissive Access
π₯ Process Whitelisting
π₯ Network Whitelisting
ποΈ Control access to sensitive assets
|
| π Application Behavior
𧬠Process execs, File System accesses
π§ Service binds, Ingress, Egress connections
π¬ Sensitive system call profiling
| βοΈ Deployment Models
βΈοΈ Kubernetes Deployment
π Containerized Deployment
π» VM/Bare-Metal Deployment
|
### Architecture Overview
### Documentation :notebook:
* :point\_right: [Getting Started](https://docs.kubearmor.io/kubearmor/quick-links/deployment_guide)
* :dart: [Use Cases](https://docs.kubearmor.io/kubearmor/use-cases/hardening)
* :heavy\_check\_mark: [KubeArmor Support Matrix](https://docs.kubearmor.io/kubearmor/quick-links/support_matrix)
* :chess\_pawn: [How is KubeArmor different?](https://docs.kubearmor.io/kubearmor/quick-links/differentiation)
* :scroll: Security Policy for Pods/Containers \[[Spec](https://docs.kubearmor.io/kubearmor/documentation/security_policy_specification)] \[[Examples](https://docs.kubearmor.io/kubearmor/documentation/security_policy_examples)]
* :scroll: Cluster level security Policy for Pods/Containers \[[Spec](https://docs.kubearmor.io/kubearmor/documentation/cluster_security_policy_specification)] \[[Examples](https://docs.kubearmor.io/kubearmor/documentation/cluster_security_policy_examples)]
* :scroll: Security Policy for Hosts/Nodes \[[Spec](https://docs.kubearmor.io/kubearmor/documentation/host_security_policy_specification)] \[[Examples](https://docs.kubearmor.io/kubearmor/documentation/host_security_policy_examples)]
* :scroll: Network Security Policy for Hosts/Nodes \[[Spec](https://docs.kubearmor.io/kubearmor/documentation/network_security_policy_specification)] \[[Examples](https://docs.kubearmor.io/kubearmor/documentation/network_security_policy_examples)]\
... [detailed documentation](https://docs.kubearmor.io/kubearmor/)
#### Contributors :busts\_in\_silhouette:
* :blue\_book: [Contribution Guide](https://docs.kubearmor.io/kubearmor/contribution/contribution_guide)
* :technologist: [Development Guide](https://docs.kubearmor.io/kubearmor/contribution/development_guide), [Testing Guide](https://docs.kubearmor.io/kubearmor/contribution/testing_guide)
* :raised\_hand: [Join KubeArmor Slack](https://cloud-native.slack.com/archives/C02R319HVL3)
* :question: [FAQs](https://docs.kubearmor.io/kubearmor/documentation/faq)
#### Biweekly Meeting
* :speaking\_head: [Zoom Link](http://zoom.kubearmor.io)
* :page\_facing\_up: Minutes: [Document](https://docs.google.com/document/d/1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs/edit)
* :calendar: Calendar invite: [Google Calendar](http://www.google.com/calendar/event?action=TEMPLATE\&dates=20220210T150000Z%2F20220210T153000Z\&text=KubeArmor%20Community%20Call\&location=\&details=%3Ca%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs%2Fedit%22%3EMinutes%20of%20Meeting%3C%2Fa%3E%0A%0A%3Ca%20href%3D%22%20http%3A%2F%2Fzoom.kubearmor.io%22%3EZoom%20Link%3C%2Fa%3E\&recur=RRULE:FREQ=WEEKLY;INTERVAL=2;BYDAY=TH\&ctz=Asia/Calcutta), [ICS file](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/resources/KubeArmorMeetup.ics)
### Notice/Credits :handshake:
* KubeArmor uses [Tracee](https://github.com/aquasecurity/tracee/)'s system call utility functions.
### CNCF
KubeArmor is [Sandbox Project](https://www.cncf.io/projects/kubearmor/) of the Cloud Native Computing Foundation. 
### ROADMAP
KubeArmor roadmap is tracked via [KubeArmor Projects](https://github.com/orgs/kubearmor/projects?query=is%3Aopen)