Ubuntu 20.04 : KubeArmorPolicy are not working in Block mode

[thungrac]

Bug Report

General Information

• Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...)

karmor probe output:

 	OS Image:                 	Ubuntu 20.04.1 LTS 	
 	Kernel Version:           	5.4.0-204-generic  	
 	Kubelet Version:          	v1.24.17           	
 	Container Runtime:        	containerd://1.7.22	
 	Active LSM:               	AppArmor           	
 	Host Security:            	false              	
 	Container Security:       	true               	
 	Container Default Posture:	audit(File)        	audit(Capabilities)	audit(Network)	
 	Host Default Posture:     	audit(File)        	audit(Capabilities)	audit(Network)	
 	Host Visibility:          	none              

kubearmor-controller-5bf5bfdf45-gzf5l	Running: 3	Image Version: kubearmor/kubearmor-controller@sha256:c25f5ec126484ad1e589d277641e60aa742da8e1511b1f0c67d1132926626b19  	

kubearmor-txx4d                      	Running: 1	Image Version: kubearmor/kubearmor@sha256:3c8e2b89e325c6a4f908128764ad359bbfa0c4762e267a729fdc8012e2fe6c29             	 	

• Kernel version (run uname -a)

Linux k8s-ai3 5.4.0-200-generic #220-Ubuntu SMP Fri Sep 27 13:19:16 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

• Link to relevant artifacts (policies, deployments scripts, ...)

using multiubuntu deployment from this link and applying the policy on this link

• Target containers/pods

ubuntu-1-deployment

To Reproduce

1. Install the kubearmor helmchart

using the helm chart version 1.4.0 from this link

Note: the delete role was removed due to this issue

2. deployt the workload

install Deployment and KubeArmorPolicy

3. Status

• The pod does not have an AppArmor annotation, even after restarting the deployment.
• Audit action works, but not Block.

== Alert / 2025-03-07 03:36:57.825271 ==
ClusterName: default
HostName: k8s-1
NamespaceName: multiubuntu
PodName: ubuntu-1-deployment-5fb5d475ff-mssff
Labels: container=ubuntu-1,group=group-1
ContainerName: ubuntu-1-container
ContainerID: 76776ab0fa7decd7e388120779c35124333ca7f057d1bc4e2f94e64dce7a82f3
ContainerImage: docker.io/kubearmor/ubuntu-w-utils:0.1@sha256:8c94d921d36698a63e02337302989e8311169b750cc0dd4713e688f3631ab4ba
Type: MatchedPolicy
PolicyName: ksp-group-1-proc-path-block
Severity: 5
Message: block /bin/sleep
Source: /bin/bash
Resource: /bin/sleep 1
Operation: Process
Action: Audit
Data: syscall=SYS_EXECVE
Enforcer: eBPF Monitor
Result: Passed
Cwd: /
HostPID: 371126
HostPPID: 370978
Owner: map[Name:ubuntu-1-deployment Namespace:multiubuntu Ref:Deployment]
PID: 112
PPID: 107
ParentProcessName: /bin/bash
ProcessName: /bin/sleep
TTY: pts0
UID: 0

[thungrac]

I found that KubeArmor only works when the node has the label kubearmor.io/enforcer. However, this label is only set by KubeArmorOperator in the code.

So, if you install only KubeArmor, it will not work.