Comments (5)
@sublimino cilium and kubearmor have different views.
what I mean is that we're not talking about security rules for inter-container communications.
instead, we're talking about the networking capability of processes inside of containers.
from kubearmor.
FYI Dataplane v2 (Cillium) will become standard on GKE but is a little different to stand up https://cloud.google.com/kubernetes-engine/docs/how-to/dataplane-v2?hl=it#create-cluster
from kubearmor.
The AppArmor provided by GKE currently doesn't support network rules.
Therefore, if we want to block ICMP, we need to block the NET_RAW capability instead of ICMP.
In the case of TCP and UDP, there is no way to control such networking operations on GKE.
from kubearmor.
For the network rules on GKE, we can replace the Block action with the Audit action.
So, if we want to block the TCP connection in the pods with the key=value label,
KubeArmor enforces the corresponding rule into the nodes on GKE by replacing the actions like "Block" -> "Block (Audit)".
Of course, this replacement should happen on GKE only. In other environments, we keep original actions.
from kubearmor.
In the case of GKE, the Block action of KubeArmor's network policies is changed to the Audit action (i.e., "Audit (Block)").
from kubearmor.
Related Issues (20)
- Improve Scorecard Score for Kubearmor HOT 1
- bug(monitor): Kernelspace dropping of host logs doesn't work as intended
- Failed to pull KubeArmor images HOT 3
- feat(enforcer) : Capabilities support in BPFLSM HOT 1
- Talos linux support HOT 12
- Screenshot (Dec 15, 2023 00:55:11)
- Have different chart and app version for helm charts HOT 6
- Process name is missing in the telemetry for network event HOT 3
- Enhancement Request: Custom Icons for KubeArmor Website Social Media Links HOT 6
- Operator - doesn't respect version defined in CRD HOT 1
- Helm chart is missing RBAC rules / Operator doesn't create RBAC rules
- Ability to reduce log level HOT 2
- bug: KubeArmor doesn't work on kind with `hostNet=false`
- Remove printk logging in ebpf HOT 7
- enable/disable visiibility for syscall HOT 2
- chore(ebpf): update libbpf to v1 HOT 2
- Request for Official Docker Images on website HOT 1
- Operator installation does not deploy daemonset on default namespace
- Dashboards for application behavior and KubeArmor state HOT 9
- Can only BPF-LSM support all the features of KubeArmor? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubearmor.