Navigation Menu

Skip to content
This repository has been archived by the owner on Feb 18, 2024. It is now read-only.

accuknox/KubeArmor

ย 
ย 

Repository files navigation

KubeArmor Logo

Build Status CII Best Practices Slack Discussions

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level.

KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.

๐Ÿ’ช Harden Infrastructure
โ›“๏ธ Protect critical paths such as cert bundles
๐Ÿ—œ๏ธ MITRE, STIGs, CIS based rules
๐Ÿ›… Restrict access to raw DB table
๐Ÿ’ Least Permissive Access
๐Ÿšฅ Process Whitelisting
๐Ÿšฅ Network Whitelisting
๐ŸŽ›๏ธ Control access to sensitive assets
๐Ÿ”ญ Application Behavior
๐Ÿงฌ Process execs, File System accesses
๐Ÿงญ Service binds, Ingress, Egress connections
๐Ÿ”ฌ Sensitive system call profiling
โ„๏ธ Deployment Models
โ˜ธ๏ธ Kubernetes Deployment
๐Ÿ‹ Containerized Deployment
๐Ÿ–ฅ๏ธ VM/Bare-Metal Deployment

Architecture Overview

KubeArmor High Level Design

Documentation ๐Ÿ““

Contributors ๐Ÿ‘ฅ

Biweekly Meetup

Notice/Credits ๐Ÿค

  • KubeArmor uses Tracee's system call utility functions.

CNCF

KubeArmor is Sandbox Project of the Cloud Native Computing Foundation. CNCF SandBox Project

About

Cloud-native Runtime Security Enforcement System. [CNCF Sandbox Project]

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 73.4%
  • Shell 12.2%
  • C 7.8%
  • HTML 4.4%
  • Makefile 2.0%
  • Dockerfile 0.2%