the "/usr/bin/sleep 1" example policy does not work when installation on a ubuntu22.04.4 VM using systemd mode about kubearmor HOT 8 CLOSED

@seamaner Can you change from matchLables to matchLabels? 😅

my mistake. Thank you very much for your help.
this works:

cat hostpolicy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-kubearmor-dev-proc-path-block
spec:
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: "ubuntu"
  process:
    matchPaths:
    - path: /usr/bin/sleep # try sleep 1
    - path: /usr/bin/top # try sleep 1
  action:
    Block

Other infomation:
if hostname is set to *: kubearmor.io/hostname: "*", it will not work.

from kubearmor.

Other infomation:
if hostname is set to *: kubearmor.io/hostname: "*", it will not work.

My bad. I realized you're using v1.3.2. Regex matching was introduced in v1.3.4 - https://github.com/kubearmor/KubeArmor/releases/tag/v1.3.4 : )

from kubearmor.

Hey @seamaner. Apologies for getting to this late.
In the host policy that you've shared, can you add a nodeSelector?

Something like below. You can get the name-of-your-host by running hostname.

apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-kubearmor-dev-proc-path-block
spec:
  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: name-of-your-host
  process:
    matchPaths:
    - path: /usr/bin/sleep # try sleep 1
    - path: /usr/bin/top # try sleep 1
  action:
    Block

The above wasn't a required field earlier but it has been changed in the recent versions. We are lacking behind in the documentation on this one. 😅

On the brighter side, we now have regex based matching in the above label, so to have the same effect in which a policy will be applied to all nodes regardless of selector, you can do something like:

  nodeSelector:
    matchLabels:
      kubearmor.io/hostname: "*"

Please try it out and let us know if this doesn't fix it. Thanks! : )

from kubearmor.

thanks for your reply. This doesn't fix it after adding "nodeSelector".

from kubearmor.

That's sad. Can you share the logs from kubearmor.service, when you apply a policy? Also the policy in place?

Just to confirm nodeSelector is kubearmor.io/hostname: ubuntu, based on your node's name and after editing the policy you reapply with karmor vm policy add <path-to-policy>, right?

from kubearmor.

That's sad. Can you share the logs from kubearmor.service, when you apply a policy? Also the policy in place?

Just to confirm nodeSelector is kubearmor.io/hostname: ubuntu, based on your node's name and after editing the policy you reapply with karmor vm policy add <path-to-policy>, right?
journalctl -u kubearmor.service latest logs:

journalctl -u kubearmor.service
......
May 11 04:17:13 ubuntu kubearmor[1137]: 2024-05-11 04:17:13.247703        INFO        Added a new client (150cbdb8-c57c-4f92-9265-eee92c332000, policy) for WatchAlerts
May 11 04:17:21 ubuntu kubearmor[1137]: 2024-05-11 04:17:21.610467        INFO        Deleted the client (150cbdb8-c57c-4f92-9265-eee92c332000) for WatchAlerts
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.494330        INFO        Detected a Host Security Policy (modified/hsp-kubearmor-dev-proc-path-block)
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.496353        INFO        Updating host rules
May 11 04:20:24 ubuntu kubearmor[1137]: 2024-05-11 04:20:24.496417        INFO        Deleting inner map for host

the host name is set as * , like this:

 cat hostpolicy.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: hsp-kubearmor-dev-proc-path-block
spec:
  nodeSelector:
    matchLables:
      kubearmor.io/hostname: "*"
  process:
    matchPaths:
    - path: /usr/bin/sleep # try sleep 1
    - path: /usr/bin/top # try sleep 1
  action:
    Block
ubuntu@ubuntu:~$ karmor vm policy add hostpolicy.yaml
Policy Modified

i alse test hostname "ubuntu" as my hostname is "ubuntu".

from kubearmor.

@seamaner Can you change from matchLables to matchLabels? 😅

from kubearmor.

Closing this as complete. LMK if otherwise.
Thanks.

from kubearmor.