Comments (8)
@seamaner Can you change from
matchLables
tomatchLabels
? 😅
my mistake. Thank you very much for your help.
this works:
cat hostpolicy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
spec:
nodeSelector:
matchLabels:
kubearmor.io/hostname: "ubuntu"
process:
matchPaths:
- path: /usr/bin/sleep # try sleep 1
- path: /usr/bin/top # try sleep 1
action:
Block
Other infomation:
if hostname is set to *: kubearmor.io/hostname: "*"
, it will not work.
from kubearmor.
Other infomation:
if hostname is set to *:kubearmor.io/hostname: "*"
, it will not work.
My bad. I realized you're using v1.3.2. Regex matching was introduced in v1.3.4 - https://github.com/kubearmor/KubeArmor/releases/tag/v1.3.4 : )
from kubearmor.
Hey @seamaner. Apologies for getting to this late.
In the host policy that you've shared, can you add a nodeSelector
?
Something like below. You can get the name-of-your-host by running hostname
.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
spec:
nodeSelector:
matchLabels:
kubearmor.io/hostname: name-of-your-host
process:
matchPaths:
- path: /usr/bin/sleep # try sleep 1
- path: /usr/bin/top # try sleep 1
action:
Block
The above wasn't a required field earlier but it has been changed in the recent versions. We are lacking behind in the documentation on this one. 😅
On the brighter side, we now have regex based matching in the above label, so to have the same effect in which a policy will be applied to all nodes regardless of selector, you can do something like:
nodeSelector:
matchLabels:
kubearmor.io/hostname: "*"
Please try it out and let us know if this doesn't fix it. Thanks! : )
from kubearmor.
thanks for your reply. This doesn't fix it after adding "nodeSelector".
from kubearmor.
That's sad. Can you share the logs from kubearmor.service
, when you apply a policy? Also the policy in place?
Just to confirm nodeSelector is kubearmor.io/hostname: ubuntu
, based on your node's name and after editing the policy you reapply with karmor vm policy add <path-to-policy>
, right?
from kubearmor.
That's sad. Can you share the logs from
kubearmor.service
, when you apply a policy? Also the policy in place?Just to confirm nodeSelector is
kubearmor.io/hostname: ubuntu
, based on your node's name and after editing the policy you reapply withkarmor vm policy add <path-to-policy>
, right?
journalctl -u kubearmor.service latest logs:
journalctl -u kubearmor.service
......
May 11 04:17:13 ubuntu kubearmor[1137]: 2024-05-11 04:17:13.247703 INFO Added a new client (150cbdb8-c57c-4f92-9265-eee92c332000, policy) for WatchAlerts
May 11 04:17:21 ubuntu kubearmor[1137]: 2024-05-11 04:17:21.610467 INFO Deleted the client (150cbdb8-c57c-4f92-9265-eee92c332000) for WatchAlerts
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.494330 INFO Detected a Host Security Policy (modified/hsp-kubearmor-dev-proc-path-block)
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.496353 INFO Updating host rules
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.496417 INFO Deleting inner map for host
the host name is set as * , like this:
cat hostpolicy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
name: hsp-kubearmor-dev-proc-path-block
spec:
nodeSelector:
matchLables:
kubearmor.io/hostname: "*"
process:
matchPaths:
- path: /usr/bin/sleep # try sleep 1
- path: /usr/bin/top # try sleep 1
action:
Block
ubuntu@ubuntu:~$ karmor vm policy add hostpolicy.yaml
Policy Modified
i alse test hostname "ubuntu" as my hostname is "ubuntu".
from kubearmor.
@seamaner Can you change from matchLables
to matchLabels
? 😅
from kubearmor.
Closing this as complete. LMK if otherwise.
Thanks.
from kubearmor.
Related Issues (20)
- Container Security Capabilities for Graviton Instances HOT 4
- KubeArmor daemonset pods failing to deploy successfully on x86 Ubuntu EKS-A Baremetal Env. HOT 5
- makefile go build && go mod tidy behaves differently starting with Go 1.21, leading to unknown directive toolchain errors HOT 1
- Snitch should not mount entire host rootfs HOT 2
- There is still no /usr/src dir HOT 15
- Request: support for taints and tolerations to KubeArmor deployments in Helm charts. HOT 4
- Update Helm values to reflect sample-config.yml HOT 3
- Way to constrain only specific selectors HOT 5
- Kubearmor does not enforce anything on pod's entrypoint or execs to kubernetes pods
- kubearmor helm charts on artifacthub HOT 7
- Improve system test coverage and practices for KubeArmor HOT 3
- Alert Policy for KubeArmor HOT 1
- `make run` fails in Ubuntu 24.02 HOT 1
- CI test suite does not generate coverage report
- Host Security Policy not enforced HOT 2
- KubeArmor Operator Enhancements
- Installing the KubeArmorOperator throws an error when the "kubarmor" namespace is not created in the cluster
- Cluster Scoped KubeArmor Security Policy
- Refactor KubeArmor Operator
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubearmor.