v1.6
We are excited to announce the release of KubeArmor v1.6, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments.
This release reflects major advancements in policy enforcement, system monitoring, and ecosystem integrations while addressing important stability and performance improvements.
Key Features & Enhancements
π Advanced Process Arguments Matching
Introduced argument-based matching for processes in policies.
Allows precise control over command-line arguments, enabling granular process enforcement.
This feature is currently limited to BPFLSM.
Example policy:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: allow-steampipe-args spec: selector: matchLabels: app: steampipe process: matchPaths: - path: /usr/bin/python3.6 allowedArgs: - -m - modules.steampipe_aws action: Block
β Add support for non-Kubernetes installation through the KubeArmor client
π‘ DNS Visibility at Pod-Level
Added DNS query tracing on UDP to provide insights into domain lookups from workloads.
Helps detect malicious behaviors like DGA (Domain Generation Algorithms) or unauthorized C2 communications.
π‘οΈ New Policy Presets
ProtectProc: Blocks unauthorized access to the
/procdirectory by non-owner processes.ProtectEnv: Prevents unauthorized access to sensitive environment variables in
/proc/[pid]/environ.ExecPreset: Enforces restrictions on external process executions (e.g., via
kubectl exec).
π Container Runtime Enhancements
OCI Hooks Support:
Added support for containerd and CRI-O hooks, eliminating the need for exposing runtime UNIX sockets for container events.
π Improved Telemetry and Observability
Added TTY information in BPF-LSM generated telemetry.
Enhanced telemetry with network metadata using Kubernetes informers.
Extended alert resources to include full command arguments.
π Ecosystem and Integrations
OpenSearch Support: Added OpenSearch as a datasource for process graphs in Grafana dashboards.
Integrated image vulnerability scanning workflows (via Trivy) in release pipelines.
π οΈ Bug Fixes and Stability Improvements
Resolved memory leaks in AppArmor DaemonSet (observed in AKS clusters).
Fixed policy deletion logic for recommended policies in the operator.
Addressed KubeArmorClusterPolicy enforcement issue for pods created post-policy application.
Fixed panic errors with uninitialized Docker daemons.
Resolved tolerations propagation issues in Helm chart deployments.
Improved filtering logic in
karmor profilecommands to respect namespace, pod, and container filters.Fixed PID/HostPID and PPID/HostPPID display anomalies (e-notation issues).
βοΈ Additional Improvements
Helm charts updated to handle tolerations properly.
Introduced conditional deployment of pod refresh controllers.
Updated CI pipelines to use Ubuntu 22.04 runners and separated network tests for newer kernels.
Deprecated legacy Config Watcher in favor of karmor.yaml configuration.
π¨ Breaking Changes
Preset API Specification Updated:
Action is now defined per-preset level:
presets: - name: protectEnv action: Block
Configuration changes via
karmor.yamlwill eventually replace existing ConfigMap fields.
π Documentation Updates
Revised hardening policies and presets documentation.
Updated multi-OS deployment instructions and CLI long descriptions.
Added ModelArmor use-cases and a better getting started guide
β
Upgrade Notes
Users are advised to review preset configurations and update CRDs accordingly.
When upgrading from v1.5, ensure Helm charts are updated to leverage new toleration handling and configuration management features.
π Contributors
This release wouldnβt have been possible without the incredible contributions from the community. Special thanks to all contributors for feature development, bug fixes, and reviews. π
π Resources
π οΈ GitHub Repository
π Changelog
Last updated
Was this helpful?