Enforcer Feature Parity
KubeArmor leverages LSMs for enforcement, there's a disparity in how KubeArmor functions with whichever LSM is available. Here's a summarised table for that.
| Feature/Behaviour | BPF LSM | AppArmor |
|---|---|---|
| kubectl exec | Policy Enforced on Immediate Child | Policy not Enforced on Immediate Child |
Deployment with allowPrivilegeEscalation to false
|
Full Enforcement | Limited Enforcement |
Policy Enforcement for matchPatterns
|
Not Supported | Globbing Syntax Support |
| Network Rules | Full Enforcement | ICMP Rules not working |
| Accurate Alerting | Alert generated when blocked | Alerts generated from eBPF monitor based on deterministic policy matching |
