v1.5

KubeArmor v1.5 delivers significant advancements in runtime security for Kubernetes environments. This release introduces enhanced policy enforcement, streamlined management, and improved observability, making it easier to secure workloads effectively.

This version expands platform support, optimizes performance, and introduces new features like network policy enforcement and host security hardening, along with integrations for a seamless security experience.

📺 Watch the v1.5 Feature Showcase Livestream: Cloud Native Live: What's latest in KubeArmor v1.5

🔑 Key Highlights

• Runtime Protection for Kubernetes Clusters Secure clusters at runtime with fine-grained policies to prevent unauthorized access and block malicious activity.

• Cluster-wide Security Policies Support for cluster-level policies enables security enforcement beyond namespaces for organization-wide protection. KubeArmor enforces Cluster Security Policies (CSPs) that allow you to define security controls across the entire cluster. CSPs provide a unified way to manage container workloads at scale, enabling global policy enforcement across namespaces.

  📄 Specification of Cluster Security Policy for Containers 📝 Examples of Cluster Security Policy

• KubeArmor Presets Simplify security policy deployment with predefined policy templates for common use cases like:

  • Blocking fileless execution

  • Protecting environment variables

  • Auditing and blocking kubectl exec commands To use presets, specify the preset-rule field in your KubeArmorPolicy. Learn more here.

• Minikube and Killercoda Playground Support Set up quick test environments for demos and PoCs effortlessly.

• Support for SCTP and All Protocols Added the ability to handle SCTP protocol and all protocols with raw socket, including protocol: all network rule. (Contributed by @rksharma95 in #1892)

• OpenSSF Scorecard Improvements Reduced attack surfaces and enhanced compliance by optimizing SecComp profiles and minimizing host exposure.

• NRI Handler Support Implemented NRI (Network Resource Interface) handler to extend runtime integrations. (Contributed by @dqsully in #1674)

🛠 Improvements

• Cluster Name Detection Auto-fetch cluster names for easier multi-cluster management.

• Docker ImagePull Secrets Improved management of Docker credentials for smoother deployments.

• Fileless Execution Handling Added special presets to manage and prevent fileless attacks.

• Containerd API Refactor Upgraded to v2 API for better performance and stability.

• RBAC Enhancements Introduced flag-based RBAC rules and refined operator configurations.

• Deprecation of kube-rbac-proxy Replaced with built-in controller authentication for streamlined security configuration.

• Improved Controller Annotation Logic Enhanced handling of pod deletions in the KubeArmor controller for better reliability. (Contributed by @Aryan-sharma11 in #1952)

• Optimized Memory Usage Reduced memory overhead in os.readlink operations to improve efficiency. (Contributed by @Aryan-sharma11 in #1996)

• Exclude Labels in Endpoint Matching Added support for excluding labels in CSP and KSP endpoint matching for flexible policy scoping. (Contributed by @Prateeknandle in #1999)

🐞 Bug Fixes

• Fixed conditional mount issues for operator consistency.

• Enhanced log handling for cases where process names were missing.

• Improved build system by injecting version info into systemd packages.

• Added go-get-tool function to operator Makefile for more stable builds.

• Fixed network event returned values for more accurate monitoring. (Contributed by @rksharma95 in #2042)

📖 Documentation Updates

• Talos Support Updated FAQ and guides for Talos environments, ensuring all platforms are well-documented.

📄 Full CHANGELOG for v1.5

KubeArmor continues to harden cloud-native environments, enforcing least-permissive access and monitoring critical paths for Kubernetes, containerized, and bare-metal workloads.

👉 Join the Community:

• Slack

• CNCF Project Page

• GitHub Repository