-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
check support for Kata containers #1340
Comments
hey @nyrahul i am working on this issue, please assign this to me . |
Hey @yashvardhanmishra , Any updates on this? Please let us know if you need any help. |
I would like to work on this issue can you please guide me on how to get started on resolve the issue |
@MeenuyD are you still working on this one? |
I can help you out if you want, or I can take this up. |
I am working on the issue can you help me which file need to be change |
Have you checked the Kubearmor support in Kata containers? |
You can update the support matrix over here, |
do let me know if you have any further queries. Regarding docs and FAQ updation you can visit our website repo here |
Hey @nyrahul @VedRatan I tested katacontainers with kubearmor on k3s. At first I ran the nginx app, applying the sample policy which successfully blocked the |
Very Interesting. Thanks for presenting the findings here. Is it possible to talk about this in the next community call? |
Of course, I will be present at the next meeting. |
Looks like /sys/kernel/security folder does not exist. |
OS is quite bare-bones, no mechanism for copying the script nor cat << EOF works. Manually dumping the config using
|
Kata containers has it's own OS builder for images https://github.com/kata-containers/kata-containers/blob/main/tools/osbuilder. In the long run perhaps they would accept upstreaming the necessary kernel config changes for KubeArmor to work, but it is always an option for people to build their own image with support for KubeArmor. I don't have context into internal development and discussions, so I might be very wrong and speaking out of turn. As far as I understand the KubeArmor model assumes that the node and pods on that node are running under the same kernel and that the policy violations in containers result in policy violations on the node that can be mapped to/from their respective containers. The daemonsets for KubeArmor run on the nodes, but what is needed is for KubeArmor to run on the VM of each pod. I don't think there is a k8s equivalent of daemonsets for pods, but I did see KubeArmor does have a containerized deployment. One might further consider baking KubeArmor into the guest image. EDIT: I see now that the scope of this issue might be much more limited than what I was commenting on. |
KubeArmor does not assume that node and pods run under the same kernel .. the kernels can be different but then every pod which runs inside a microVM will be treated as a separate compute instance which means a separate KubeArmor instance will manage it. The kata-containers model is more or less similar to KubeVirt model from KubeArmor's perspective ... i.e., a separate VM is running the pod/workload and thus the protection has to be applied at that VM level .. Based on @rootxrishabh 's comment, looks like only SELinux is enabled in the VM and thus a custom image might have to be built. Note that even with the current image, KubeArmor can provide eBPF based audit/network-segmentation/app-behaviour functionaly... but not the inline-mitigation. For inline-mitigation, or block-based rules, KubeArmor would need either AppArmor or BPF-LSM to be enabled. |
Do you mean just the core of KubeArmor, or the k8s daemonset deployment too? Is this in the docs somewhere? That and kata-containers support would be a big step step to also supporting Confidential Containers Peerpods. |
@nyrahul as we don't have bpflsm enabled by default, kubearmor won't be functioning to it's full potential. I propose the next course of action should be to create a custom image with LSMs enabled. Eager to know your thoughts on this? |
Yep, we will have to create a custom image with BPFLSM enabled. |
Kata is introducing support for AppArmor via this PR |
That is a good news. If the BPF_LSM would have been enabled, that would been great as well. Is it possible to let the kata team know about enabling BPF-LSM? |
I have already informed the kata team about the same : ) |
Hey Folks, Thanks for the interest in the mentorship. We have certain prerequisites which we expect to be included in your application. Please include details or reference to a document for the said prerequisite in your Cover Letter / Mail to the mentors / Submit it in the issue thread / DM Mentors in KubeArmor Slack by 20 Feb. Following are the details. Kubearmor Kata Container Support - https://mentorship.lfx.linuxfoundation.org/project/0ece2baf-071b-4155-b1e8-696fbe58e991 |
|
@nyrahul @bpradipt, Please find the document attached to run kubearmor with kata containers. |
Feature Request
Short Description
Kata Containers is an open-source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
Describe the solution you'd like
Verify if KubeArmor can be deployed on systems using Kata containers.
Tasks
LFX Tasks
Test Kube Armor inside Kata guest VM:
KubeArmor deployment model
The text was updated successfully, but these errors were encountered: