-
Notifications
You must be signed in to change notification settings - Fork 325
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host Security Policy not enforced #1765
Comments
Tried reproducing the error, but HSP enforcement works on my machine with:
OS - openSUSE Tumbleweed
Applied the policy:
Result: Kubearmor logs of
|
I think that narrows down the bug to Arch Linux only since both runs are on same kernel version and same cluster version |
@tesla59 can i know in which container you ran sleep? |
@harisudarsan1 on the host itself |
kubearmor can't able to enforce if it is running inside k8s cluster. So try deploying wordpress |
We discussed this further on slack - ref. This can be reproduced consistently with non-operator Kubernetes installation in environment which doesn't have neither $ cat /sys/kernel/security/lsm
capability,landlock,lockdown,yama,bpf
Things we need to fix are:
|
Can confirm. The machine which the kubearmor is running on has active bpf but not apparmor
|
Bug Report
General Information
uname -a
):kubectl version
, ...)Used KubeArmorHostPolicy
N/A
To Reproduce
and
Applied the above mentioned policy using
kubectl apply -f
Ran the commands mentioned in the policy
Expected behavior
The execution of command
pacman
andsleep
should be blocked and shown asPermission denied command terminated with exit code 126
Additional Info
k logs kubearmor-jz644 -n kubearmor
, it showsI t detects the policy but does not update it. In case of container enforcement, we see the following logs
karmor probe
karmor logs --logFilter=all
shows HostLogspacman
andsleep
is correctThe text was updated successfully, but these errors were encountered: