update deployment guide with FTR changes

Signed-off-by: rk <ramakant@accuknox.com>

README.md

@@ -15,6 +15,15 @@ KubeArmor leverages [Linux security modules \(LSMs\)](https://en.wikipedia.org/w
 
 ![KubeArmor High Level Design](.gitbook/assets/kubearmor_overview.png)
 
+## Use Cases
+### Kubernetes Runtime Security
+Kubearmor provides runtime protection for the Kubernetes workloads. It can restrict the runtime behavior of the pods/containers running on the k8s node at the system level using the Linux Security Modules. Apparmor, SElinux and BPF LSM are currently supported LSMs by Kubearmor. It Provides easy-to-use Policy semantics using Kubernetes CRDs. K8s custom resource `KubeArmorPolicy` can be used by the user to specify the security policy for the container/pod. 
+### Unorchestrated Container Runtime Security
+Kubearmor as a runtime security engine can also protect the non-orchestrated containerized workload running directly on a host/VM. Kubearmor can provide visibility as well as protection for process, file and network operations in the container workloads. It makes Kubearmor a perfect candidate for a runtime security solution to protect the IoT Edge containerized workloads. Kubearmor is well tested with the [Open Horizon](https://www.lfedge.org/projects/openhorizon/), an edge computing platform. This [post](https://github.com/kubearmor/KubeArmor/wiki/KubeArmor-to-protect-IoT-Edge-containerized-workloads) provides more information on Kubearmor to protect IoT edge container workloads on Open Horizon platform.
+### Host (VM/Bare Metal) Runtime Security
+Kubearmor can also be used to protect any Virtual Machine or Bare Metal host. Kubearmor can be installed as a systemd service. The security policy for the host called `KubeArmorHostPolicy` can be applied and managed using the Kubearmor CLI-tool called [Karmor](https://github.com/kubearmor/kubearmor-client). Defining KubeArmorHostPolicy is not different from defining KubeArmorPolicy, both shares the same semantics.   
+
+
 ## Functionality Overview
 
 * Restrict the behavior of containers and nodes (VMs) at the system level

deployments/EKS/README.md

@@ -1,6 +1,42 @@
 # Deploy KubeArmor on EKS
 
-## 1. Prerequisite for the deployment
+Kubearmor can be deployed on the Amazon EKS cluster, it can be deployed using Helm chart or Kubearmor CLI-tool [karmor](https://github.com/kubearmor/kubearmor-client). This guide aims to provides detailed information for deploying Kubearmor on Amazon EKS Cluster. 
+
+This deployment guide requires a basic level understanding of [AWS Services](https://aws.amazon.com/) and assumes that the user is familiar with [Amazon EKS](https://aws.amazon.com/eks/) and [Kubenetes](https://kubernetes.io/). In this guide we’ll create a new EKS cluster if you want to deploy the Kubearmor to an existing EKS cluster make sure that the AWS user must have sufficient [IAM Permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html) and roles to deploy kubernetes resources, for more information follow [Add IAM user or roles to Amazon EKS Cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) and [Required Permissions](https://docs.aws.amazon.com/eks/latest/userguide/view-kubernetes-resources.html#view-kubernetes-resources-permissions). Kubernetes resources deployed with Kubearmor are Daemonset, Deployment, Serviceaccount with ClusterRoleBinding, and Services.
+
+## 1. Prerequisite and Requirements for the deployment
+
+### Host Requirements
+
+Kubearmor supports a wide range of Kubernetes engines and Operating systems. Some environments supports only partial features of the Kubearmor for example Amazon Linux 2 (kernel version 5.4) does not support security policy enforcement in the k8s mode. [The k8s support matrix](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/support_matrix.md#k8s-support-matrix) provides an overview of the supported kubernetes engines, operating systems, and supported Kubearmor features. 
+
+### Precheck Using Kubearmor CLI-tool
+
+`Karmor` can be used to check the supported Kubearmor features in the current environment. Make sure that kubeconfig should be configured with the AWS ECS cluster configs.
+
+Install karmor cli-tool
+```
+$ curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+```
+Run the following command
+```
+$ karmor probe
+
+# Example Output
+
+Didn't find KubeArmor in systemd or Kubernetes, probing for support for KubeArmor
+
+Host:
+	 Observability/Audit: Supported (Kernel Version 5.15.0)
+	 Enforcement: Full (Supported LSMs: lockdown,capability,landlock,yama,apparmor)
+To get full probe, a daemonset will be deployed in your cluster - This daemonset will be deleted after probing
+Use --full tag to get full probing
+```
+ As in the example output, it will show the information of the supported Kubearmor features i.e. Observability, Enforcement, etc by the current environment. 
+
+### Technical Requirements
+
+EKS cluster can be setup in many ways such as using AWS management console, using eksctl a tool provided by AWS and using IaC tools i.e. Terraform, Ansible can also be used to create an EKS cluster. In this guide we are going to use the eksctl tool to setup the cluster, for more information read [Getting started with Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html). 
 
 - Set up AWS credentials on your system
 
@@ -17,6 +53,8 @@
 
 ## 2. Creating an EKS cluster
 
+eksctl creates several required resources automatically i.e. dedicated VPC, managed node group, required IAM roles and security groups, and EKS cluster which has to be created manually if the cluster is created using AWS management console. eksctl also adds the cluster configurations to the kubeconfig file in ~/.kube that enables the kubectl to talk with the EKS cluster. 
+
 - Create ClusterConfig (eks-config.yaml)
 
   <details>
@@ -72,6 +110,13 @@
   KubeArmor on RedHat based Linux distributions currently supports the audit mode only, which means that you are not able to enforce security policies while the events related to the policies can be audited.
   </details>
 
+  <details>
+  <summary>(Option 3) Create an EKS cluster configuration using Bottlerocket </summary>
+
+  Follow the 
+  [Using a Bottlerocket AMI with Amazon EKS](https://github.com/bottlerocket-os/bottlerocket/blob/develop/QUICKSTART-EKS.md) guide.
+  </details>
+
 - Create the EKS cluster:
 
   Create the cluster using eksctl
@@ -158,4 +203,69 @@
 
 ## 3. Deploying KubeArmor
 
-- Follow the [deployment guide](../../getting-started/deployment_guide.md) to install KubeArmor in the cluster.
+Karmor tool can be used to quick install and interact with the Kubearmor on EKS cluster. Karmor can auto detect the running environment and installs the Kubearmor with applicable configurations. It deploys k8s resources i.e. Daemonset, Deployments, Services, Serviceaccount with ClusterRole, and CRDs in the cluster node. We've observed the estimated time it takes to complete the installation is approximately 2 minutes. Karmor shows the information about installation time in the output.
+
+The main components of the Kubearmor deployed in Kubernetes node are as follows:
+
+### Kubearmor Daemon
+
+ The Kubearmor runs as a Daemonset that deploys a pod on each Kubernetes node. It configures the core components of the Kubearmor on the node consisting of the ebpf-based system monitor, linux security module (lsm) based enforcer and Logger service to serve the logs and alerts. It exposes the port 32767 to serve the logs, alerts and messages using the grpc service. Some of the volume mounts declared with pods are /opt/kubearmor/BPF for the bpf binaries, /sys/fs/bpf to manage bpf persistent objects, /etc/apparmor.d for apparmor profiles if the Kubearmor is configured with apparmor as lsm enforcement, and also mounts the CRI socket based on the container runtime kubernetes is configured with.
+
+### Kubearmor Relay
+
+KubeArmor's relay server collects all messages, alerts, and system logs generated by KubeArmor in each node, and then it allows other logging systems to simply collect those through the service ('kubearmor.kube-system.svc') of the relay server.
+
+### KubeArmor Controller
+
+KubeArmorController, is the component responsible for apparmor annotations, it sets them via mutation webhooks. We also define our CRDs, in the controller. The annotations are added to the pods by the controller to utilize them in Kubearmor to manage and configure the applicable security profile.
+
+There are two types of annotations that we add.
+
+1. KubeArmor specific annotations:
+
+`kubearmor-visibility`: defines the visibility level ("process,file,network,capabilities")
+
+`kubearmor-policy`: can be either "audited or enabled" sets whether policy enforcement will take place 
+
+2. Apparmor specific annotation:
+
+This annotation is used to maintain a mapping between pod/container and the apparmor profile. It follows the pattern container.apparmor.security.beta.kubernetes.io/<container_name>: <profile_ref>
+
+### Security
+
+> No root-privileges are required to deploy the Kubearmor to the EKS cluster. Any user with required permissions granted to the assumed IAM role can deploy the Kubearmor to an EKS cluster. Check [Enabling IAM user and role access to your cluster](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) for more information on how to add additional users to interact with the existing cluster.
+
+>Kubearmor follows the policy of least privilege for all access grants. Kubearmor daemon deploy with only the required capabilities assigned to the container.
+```yaml
+securityContext:
+  privileged: false
+  capabilities:
+    drop: 
+      - ALL
+    add: 
+      - SETUID 
+      - SETGID
+      - SETPCAP
+      - SYS_ADMIN
+      - SYS_PTRACE 
+      - MAC_ADMIN
+      - SYS_RESOURCE 
+      - IPC_LOCK
+      - CAP_DAC_OVERRIDE
+      - CAP_DAC_READ_SEARCH
+
+```
+
+### Installation Steps
+
+### 1. Download and install karmor cli-tool
+```
+curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+```
+
+### 2. Install KubeArmor
+```
+karmor install
+```
+
+