Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running karmor probe on operator installation throws incorrect posture values #398

Open
rootxrishabh opened this issue Jan 21, 2024 · 7 comments
Open

Running karmor probe on operator installation throws incorrect posture values #398

rootxrishabh opened this issue Jan 21, 2024 · 7 comments
Labels
bug Something isn't working

Comments

@rootxrishabh
Copy link
Member

rootxrishabh commented Jan 21, 2024
edited
Loading

Bug Report

General Information

  • Environment description - K3s
  • Kernel version - Linux kubearmor-os-1 6.2.0-1019-gcp kubearmor/KubeArmor#21~22.04.1-Ubuntu SMP Thu Nov 16 18:18:34 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
  • Orchestration system version in use - v1.23
  • Link to relevant artifacts (policies, deployments scripts, ...)
  • Target containers/pods

To Reproduce

  1. Set default posture settings to block.
    image

  2. Deploy Kubearmor using helm-based local deployment.
    image

  3. Confirm posture settings using karmor probe.
    image

Expected behavior
Karmor probe should confirm that Default Posture is set to block based for File, Capabilities, and Network but rather shows audit.
CC @rksharma95
@rootxrishabh rootxrishabh added the bug Something isn't working label Jan 21, 2024
@rootxrishabh rootxrishabh mentioned this issue Jan 21, 2024
Closed
3 tasks
@rksharma95
Copy link
Contributor

rksharma95 commented Jan 22, 2024
edited
Loading

@rootxrishabh Can you check posture values in kubearmor configmap kubearmor-config?

@rootxrishabh
Copy link
Member Author

The configmap does show up the values as intended. However, kubearmor-config does set posture settings globally and should block all activity related to file, process, and network globally, right?
image

@rksharma95
Copy link
Contributor

@rootxrishabh yes you're right, global posture should be set to block for process, file and network. have you tested the enforcement with an allow based policy?

@rootxrishabh
Copy link
Member Author

Ok so it looks like the posture settings are working well!
Policy applied:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: ksp-ubuntu-5-net-tcp-allow-curl namespace: default spec: severity: 8 selector: matchLabels: app: nginx network: matchProtocols: - protocol: tcp fromSource: - path: /usr/bin/curl action: Allow

Result -
root@nginx-85b98978db-mpjxz:/# curl google.com curl: (6) Could not resolve host: google.com

So I guess karmor probe needs to be tweaked when working with operator-based deployment.

@rootxrishabh
Copy link
Member Author

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

@rksharma95
Copy link
Contributor

One last question, Basically posture is only enforced around a policy right? For example, all posture set to block without a policy doesn't deny all processes, network and file activities. Right?

yes default posture comes into picture with a allow based policy, ref: https://github.com/kubearmor/KubeArmor/blob/main/getting-started/default_posture.md

@rootxrishabh
Copy link
Member Author

Thanks @rksharma95, will be opening an issue at kubearmor-client for the probe info.

@rootxrishabh rootxrishabh transferred this issue from kubearmor/KubeArmor Jan 23, 2024
@rootxrishabh rootxrishabh reopened this Jan 23, 2024
@rootxrishabh rootxrishabh changed the title Local Operator installation doesn’t change posture settings when supplied in kubearmorconfig Running karmor probe on operator installation throws incorrect posture values Jan 23, 2024
@rootxrishabh rootxrishabh mentioned this issue Mar 6, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rootxrishabh @rksharma95