Skip to content

Runtime detection and response for malicious events in Kubernetes workloads

License

Notifications You must be signed in to change notification settings

armosec/kubecop

Repository files navigation

Version build Go Report Card Gitpod Ready-to-Code Twitter Follow

KubeCop 🚨🚔🚢☸️🚨

KubeCop is a KDR - Kubernetes Detection and Response tool. It is designed to be a simple, low-footprint, easy-to-use, and effective tool for detecting and responding to threats in your Kubernetes cluster at runtime.

It is based on eBPF-based event monitoring on Kubernetes nodes and an advanced rule engine that allows you to write rules that can detect and respond to threats in your cluster and more specifically in your workload itself🛡️.

KubeCop supports two kinds of malicious behavior detections:

  • Signature-based - detecting application behavior that resembles attack techniques
  • Anomaly-based - identifying events that are not aligned with the baseline behavior of applications

KubeCop is capable of building an application baseline by itself and enforcing behavior. Application monitoring is based on the Kapprofiler project

What do you get when you install KubeCop?

Hopefully nothing 😉

If you connect it to your AlertManager endpoint, you will be able to monitor your Kubernetes cluster for malicious events and get alerted if something happens!

Design

Detection capabilities

KubeCop leverages advanced eBPF (extended Berkeley Packet Filter) technology for comprehensive runtime security detection in Kubernetes environments. Its detection capabilities encompass a wide array of events including new process initiations, file activities, network operations, system call activities, and usage of Linux capabilities.

Anomaly-based detection

A standout feature of KubeCop is its anomaly detection mechanism, which is grounded in application profiling. During a default learning period of 15 minutes (customizable by users, for production environments suggested to use at least 12 hours), KubeCop monitors applications for the aforementioned activities, subsequently building a detailed application profile. This profile, stored as a Kubernetes Custom Resource (CR), serves as a benchmark for normal behavior. Once the learning phase concludes and the profile is established, KubeCop validates application events coming from eBPF for deviations from this norm, triggering alerts upon detecting anomalies.

Signature-based detection

Additionally, KubeCop is equipped with rules designed to identify well-known attack signatures. These rules are adept at uncovering various threats, such as unauthorized software executions that deviate from the original container image, detection of unpackers in memory, reverse shell activities, and more. Users have the flexibility to create 'Rule Bindings'—specific instructions that direct KubeCop on which rules should be applied to which Pods. This level of customization ensures that security measures are tailored to the unique needs of each Kubernetes deployment, enhancing the overall security posture and responsiveness of the system.

Host malware scanning

KubeCop can scan the nodes for malware using ClamAV as an engine, a popular open-source antivirus engine. ClamAV supports scanning of files, directories, and volumes, and can be configured to scan the entire node or only specific directories. You can read more about ClamAV here.

KubeCop uses its own virus database which is a subset of the latest ClamAV virus database release but adopted to Kubernetes environment to save resources.

Rules

See here more about our rules

Rule bindings

To learn more about binding rules to workloads, see RuntimeRuleAlertBinding.

Getting started

KubeCop deployment is installed and managed using Helm.

Installation

Basic installation

To install KubeCop on your Kubernetes cluster, do the following steps:

helm repo add kubecop https://armosec.github.io/kubecop
helm repo update
# Assuming AlertManager is running in service  "alertmanager-operated" in namespace "monitoring"
helm install kubecop kubecop/kubecop -n kubescape --create-namespace

You should be getting alerts after the learning period ends. Try kubectl exec on one of the Pods after the learning period!

Namespaced installation

By default, KubeCop is installed in the kubescape namespace and stores application profiles in the application namespace and rule bindings as a cluster-wide resource. If you want KubeCop to save all of it's data, in it's own namespace, you can use the following commands:

helm repo add kubecop https://armosec.github.io/kubecop
helm repo update
# Assuming AlertManager is running in service  "alertmanager-operated" in namespace "monitoring"
helm install kubecop kubecop/kubecop -n kubescape --create-namespace --set isNamespaced=true --set isClusterScoped=false

Advanced parameter configurations

Exporters are the mechanisms in the system to send alerts to external endpoints from KubeCop engine. For more information about exporters, see here

Finalization

The parameter kubecop.recording.finalizationDuration controls the learning period of the baseline behavior of workloads. The default setting is 15 minutes, but this is not a good value for production environments only for testing. For production environments we suggest at least 12 hour learning period (sometimes even 24 hours to cover daily recurring tasks) and set this to 12h

Exporters

Exporters are the mechanisms in the system to send alerts to external endpoints from KubeCop engine.

They can be enabled with Helm (Stdout is on by default)

Currently supported:

  • Alert manager
    • Enable: kubecop.alertmanager.enabled
    • Endpoint: kubecop.alertmanager.endpoints (example localhost:9093 or localhost:9093,localhost:9094)
  • Syslog (RFC 5424)
    • Enable: kubecop.syslog.enabled
    • Endpoint: kubecop.syslog.endpoint (example localhost:514)
    • Protocol: kubecop.syslog.protocol (example udp)
  • Stdout (printing alerts to log)
  • CSV (writing alerts to CSV file)
    • Enable: kubecop.csv.enabled
    • Path: kubecop.csv.path (example /tmp/alerts.csv)

Read more about them here

Metrics export

KubeCop can export internal metrics to Prometheus. Internal metrics include:

  • Number of alerts sent
  • Number of events processed (exec, open, etc.)
  • Number of application profile changes

These metrics can be useful to understand the load on the system how it behaves.

You can enable the exported with kubecop.prometheusExporter.enabled=true.

ClamAV Scanning

To enable ClamAV scanning, you need to use the following parameter in Helm: kubecop.clamav.enabled=true.
Please note that ClamAV scanning is not enabled by default, and it is not recommended for low-resource environments.

Bindings

KubeCop applies alert rules on Kubernetes workloads based on rule-binding configuration.

Rule-binding are simple objects (CRDs) very similar to existing Kubernetes binding objects like RoleBinding or AdmissionPolicyBinding. They have two major parts:

  • Matching (to which object the rules are applied to)
  • Rule list (what rules to apply to these objects)

The default Helm installation comes with a basic rule-binding object called all-rules-all-pods which effectively applies all the existing rules to all Pods except kube-system namespace and KubeCop itself.

The bindings should be adjusted according to the alert settings fitting the deployments.

Requirements

KubeCop supports Linux nodes only (since it is eBPF based), it also requires CAP_SYS_ADMIN capability (but not privilged:true).