Running karmor probe on operator installation throws incorrect posture values

[rootxrishabh]

Bug Report

General Information

• Environment description - K3s
• Kernel version - Linux kubearmor-os-1 6.2.0-1019-gcp kubearmor/KubeArmor#21~22.04.1-Ubuntu SMP Thu Nov 16 18:18:34 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
• Orchestration system version in use - v1.23
• Link to relevant artifacts (policies, deployments scripts, ...)
• Target containers/pods

To Reproduce

1. Set default posture settings to block.
   

2. Deploy Kubearmor using helm-based local deployment.
   

3. Confirm posture settings using karmor probe.
   

Expected behavior
Karmor probe should confirm that Default Posture is set to block based for File, Capabilities, and Network but rather shows audit.
CC @rksharma95

[rksharma95]

@rootxrishabh Can you check posture values in kubearmor configmap kubearmor-config?

[rootxrishabh]

The configmap does show up the values as intended. However, kubearmor-config does set posture settings globally and should block all activity related to file, process, and network globally, right?

[rksharma95]

@rootxrishabh yes you're right, global posture should be set to block for process, file and network. have you tested the enforcement with an allow based policy?

[rootxrishabh]

Ok so it looks like the posture settings are working well!
Policy applied:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-ubuntu-5-net-tcp-allow-curl namespace: default spec: severity: 8 selector: matchLabels: app: nginx network: matchProtocols: - protocol: tcp fromSource: - path: /usr/bin/curl action: Allow

Result -
root@nginx-85b98978db-mpjxz:/# curl google.com curl: (6) Could not resolve host: google.com

So I guess karmor probe needs to be tweaked when working with operator-based deployment.

[rootxrishabh]

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

[rksharma95]

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

yes default posture comes into picture with a allow based policy, ref: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/default_posture.md

[rootxrishabh]

Thanks @rksharma95, will be opening an issue at kubearmor-client for the probe info.