Skip to content

HostPath Mounts Used by KubeArmor 🚧[WIP]

Jump to bottom
Aryan Sharma edited this page Jun 25, 2024 · 7 revisions

HostPath Mounts Used by KubeArmor

Introduction

KubeArmor enhances security by monitoring and enforcing security policies at the kernel level. This requires access to various parts of the host file system. This document details the hostPath mounts used by KubeArmor.

KubeArmor

Mandatory Mounts

1. sys-kernel-debug-path

  • Name: sys-kernel-debug-path
  • Path: /sys/kernel/debug
  • Type: Directory
  • Purpose: Provides access to the kernel's debug file system, essential for KubeArmor to use tracepoints for monitoring system calls and other kernel-level events.

2. Container runtime sockets (read-only) : needed for interacting with container runtimes, would be removed soon as we adopt OCI hooks

Type: Socket

Conditional Mounts

The following path is mounted only when we are using apparmor as enforcer:

1. apparmor.d Path

  • Name: etc-apparmor-d-path
  • Path: /etc/apparmor.d
  • Type: Directory
  • Purpose: Used to access apparmor profiles.

The following paths are mounted only when BTF (BPF Type Format) is not present on the system and an init container is required:

1. lib-modules-path (Read Only)

  • Name: lib-modules-path
  • Path: /lib/modules
  • Type: Directory
  • Purpose: Required to access kernel headers.

2. usr-src Path (Read Only)

  • Name: usr-src-path
  • Path: /usr/src
  • Type: Directory
  • Purpose: Required to access kernel headers.

3. os-release-path (Read Only)

  • Name: os-release-path
  • Path: /etc/os-release
  • Type: File
  • Purpose: Provides information about operating system.

Kubearmor controller

1. sys-path

  • Name: sys-path
  • Path: /sys/kernel/security
  • Type: Directory
  • Purpose: Provides information about the LSMs present on the system.

Kubearmor Snitch

1. apparmor-path

  • Name: apparmor-path
  • Path: /etc/apparmor.d/
  • Type: Directory
  • Purpose: Provides information about the Apparmor filesystem.

2. sys-path

  • Name: sys-path
  • Path: /sys/
  • Type: Directory
  • Purpose: Provides information about the security filesystems and enforcer.

3. var-path

  • Name: var-path
  • Path: /var/
  • Type: Directory
  • Purpose: Provides information about container runtime.

4. run-path

  • Name: run-path
  • Path: /run/
  • Type: Directory
  • Purpose: Provides information about container runtime.

5. seccomp-path

  • Name: seccomp-path
  • Path: /var/lib/kubelet/seccomp
  • Type: DirectoryOrCreate
  • Purpose: Provides information about the seccomp profiles present on the system.

Clone this wiki locally