KubeArmor is not blocking the process as expected

[myugan]

Bug Report

General Information

• Environment description (GKE, VM-Kubeadm, vagrant-dev-env, minikube, microk8s, ...): kubeadm
• Kernel version (run uname -a): 6.5.0-1020-aws
• Orchestration system version in use (e.g. kubectl version, ...): v1.29.5
• Link to relevant artifacts (policies, deployments scripts, ...)
• Target containers/pods

To Reproduce

1. Install KubeArmor using the Helm chart
2. Apply the policy below to block the sleep command. Verify that the policy is successfully applied to the respective pod using karmor probe.

cat > ksp-ubuntu-proc-block.yaml <<EOL
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-ubuntu-proc-block
  namespace: default
spec:
  message: "block /usr/bin/sleep"
  selector:
    matchLabels:
      os: ubuntu
  process:
    matchPaths:
    - path: /usr/bin/sleep
  action:
    Block
EOL

Expected behavior

KubeArmor must block any activities according to the created policy.

Screenshots

[daemon1024]

Hey @myugan, Can you share how are trying to violate it and what's the output you see?
The configuration looks good to me.

Additionally can you run which sleep in the ubuntu pod and check what's the binary name?

[myugan]

Hello @daemon1024, I have verified that the binary of sleep appears to be correct, and I even attempted to replace it with another binary file, but it did not block either. Is there a method to display the complete debug message in order to understand why it is not blocking the action according to the policy? Additionally, the output is not appearing in the karmor logs

[daemon1024]

Can we check if the Pod has apparmor annotation? Can you share the Pod/Deployment spec?

[myugan]

There is no annotation in the pod. Here is the manifest file.

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu
  labels:
    os: ubuntu
spec:
  containers:
  - image: ubuntu
    command:
      - "sleep"
      - "604800"
    imagePullPolicy: IfNotPresent
    name: ubuntu
  restartPolicy: Always

I have checked the Pod annotation, and it says the policy is enabled as well.

...[SNIP]...
    cni.projectcalico.org/containerID: 08d1ca3a983909decb7b3a73c041105a48b6fbc70fdc69311acca739be8033ba
    cni.projectcalico.org/podIP: 192.168.94.9/32
    cni.projectcalico.org/podIPs: 192.168.94.9/32
    kubearmor-policy: enabled
    kubearmor-visibility: process,file,network,capabilities

[sh1nnyboy]

Got the same issue, any idea @daemon1024 ?

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-ubuntu-net-icmp-block
  namespace: default
spec:
  selector:
    matchLabels:
      os: ubuntu-util
  network:
    matchProtocols:
    - protocol: icmp
  action:
    Block

[TheWeak3stLink]

It seems like you have kubearmor in audit mode, not block. I'm my case I'm having the same issue, but I configured the policy in block mode using annotations:

Policy definiton:

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-mysql-block
  namespace: default
spec:
  message: "Block /var/lib/mysql/"
  severity: 5
  selector:
    matchLabels:
      name: mysql-pod
  file:
    matchDirectories:
    - dir: /var/lib/mysql/
      recursive: true
  action:
    Block

Karmor probe output:

But I'm able to create files under /var/lib/mysql/ without being blocked.