KubeArmor supports configurable default security posture. The security posture could be allow/audit/deny. Default Posture is used when there's atleast one Allow
policy for the given deployment i.e. KubeArmor is handling policies in whitelisting manner (more about this in Considerations in Policy Action ).
There are two default mode of operations available block
and audit
. block
mode blocks all the operations that are not allowed in the policy. audit
generates telemetry events for operations that would have been blocked otherwise.
KubeArmor has 4 types of resources: Process, File, Network and Capabilities. Default Posture is configurable for each of the resources seperately except Process. Process based operations are treated under File resource only.
Note By default, KubeArmor set the Global default posture to
audit
Global default posture is configured using configuration options passed to KubeArmor using configuration file
Or using command line flags with the KubeArmor binary
We use namespace annotations to configure default posture per namespace. Supported annotations keys are kubearmor-file-posture
,kubearmor-network-posture
and kubearmor-capabilities-posture
with values block
or audit
. If a namespace is annotated with a supported key and an invalid value ( like kubearmor-file-posture=invalid
), KubeArmor will update the value with the global default posture ( i.e. to kubearmor-file-posture=block
).
Let's start KubeArmor with configuring default network posture to audit in the following YAML.
Contents of kubearmor.yaml
Here's a sample policy to allow tcp
connections from curl
binary.
Note: This example is in the multiubuntu environment.
Inside the ubuntu-5-deployment
, if we try to access tcp
using curl
. It works as expected with no telemetry generated.
If we try to access udp
using curl
, a bunch of telemetry is generated for the udp
access.
curl google.com
requires UDP for DNS resolution.
Generated alert has Policy Name DefaultPosture
and Action as Audit
Now let's update the default network posture to block for multiubuntu
namespace.
Now if we try to access udp
using curl
, the action is blocked and related alerts are generated.
Here curl couldn't resolve google.com due to blocked access to UDP.
Generated alert has Policy Name DefaultPosture
and Action as Block
Let's try to set the annotation value to something invalid.
We can see that, annotation value was automatically updated to audit since that was global mode of operation for network in the KubeArmor configuration.