Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs/FAQ: Talos support & FAQ update #1868

Merged
merged 2 commits into from
Jan 14, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 10 additions & 71 deletions getting-started/FAQ.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,8 @@ Unbreakable Enterprise Kernel Release 7 (UEK R7) is based on Linux kernel 5.15 L

### Checking if BPF-LSM is supported in the Kernel

> Note: KubeArmor now supports upgrading the nodes to BPF-LSM using [an updater daemonset](#kubearmor-enforcement-is-not-enabledworking). The following text is just an FYI but need not be used manually for k8s env.

We check for BPF LSM Support in Kernel Config

```sh
Expand Down Expand Up @@ -322,85 +324,22 @@ kubectl patch deploy -n $(kubectl get deploy -l kubearmor-app=kubearmor-relay -A
</details>

<details>
<summary><h4>Debug KubeArmor installation issue</h4></summary>
In certain scenarios, the expected behavior of KubeArmor might not be observed. One way to investigate this is by using the KubeArmor Command Line Interface (CLI) utility, commonly referred to as [karmor cli](https://github.com/kubearmor/kubearmor-client).

To check the status and configuration of KubeArmor, you can use the following command:
<summary><h4>KubeArmor enforcement is not enabled/working</h4></summary>

KubeArmor enforcement mode requires support of LSMs on the hosts. Certain distributions might not enable it out of the box. There are two ways to check this:
1. During KubeArmor installation, it shows the following warning message:
```
karmor probe
KubeArmor is running in Audit mode, only Observability will be available and Policy Enforcement won't be available.
```
2. Another way to check it is using `karmor probe`. If the `Active LSM` shown is blank, then the enforcement won't work.

```
pc:~$ karmor probe

Found KubeArmor running in Kubernetes

Daemonset :

kubearmor Desired: 1 Ready: 1 Available: 1 Deployments :

kubearmor-controller Desired: 1 Ready: 1 Available: 1
kubearmor-operator Desired: 1 Ready: 1 Available: 1
kubearmor-relay Desired: 1 Ready: 1 Available: 1

Containers :

kubearmor -apparmor-containerd-98c2c-z772n Running: 1 Image Version: kubearmor/kubearmor:stable
kubearmor-controller -6b5d689967-4wxnh Running: 2 Image Version: gcr.io/kubebuilder/kube-rbac-proxy:v0.12.
kubearmor -operator -6fb47dd855-6tk5r Running: 1 Image Version: kubearmor/kubearmor-operator: latest
kubearmor -relay-6966976dbb-hq96h Running: 1 Image Version: kubearmor/kubearmor-relay-server

Node 1 :

OS Image: Debian GNU/Linux 11 (bullseye)

Kernel Version: 6.2.0-36-generic

Kubelet Version: v1.27.3

Container Runtime: containerd://1.7.1

Active LSM:

Host Security: false

Container Security: false

Container Default Posture: audit(File) audit(Capabilities) audit (Network)
Host Default Posture: audit(File) audit(Capabilities) audit (Network)
Host Visibility: none

Armored Up pods :

------------------------------------------------------------

| NAMESPACE | DEFAULT POSTURE | VISIBILITY | NAME | POLICY |
```

When executing this command, check the output for the value of **ActiveLSM** field, if it is not assigned any value, it means that no active LSM is available for KubeArmor to enforce policies. Under normal circumstances, this value should be assigned a specific Linux Security Module (LSM) that KubeArmor uses to enforce security policies. Additionally, ensure that the **Container Security** field is set to true.

However, there are situations where ActiveLSM might not be assigned any value. This situation indicates that Kubearmor is unable to identify the appropriate LSM in a environment, which is commonly used in Kubernetes setups.

To address this issue, KubeArmor provides a solution involving the use of BPF-LSM. BPF (Berkeley Packet Filter) is a technology that allows efficient packet filtering in the Linux kernel. Enabling support for BPF LSM ensures that KubeArmor can apply and enforce policies as expected in Dockerized environments associated with Kubernetes. Please note that BPFLSM is only available on kernel versions above 5.8 or on RHEL distros > 8.5.

So we need to enable [bpf-lsm](FAQ.md#checking-and-enabling-support-for-bpf-lsm) for Kubearmor to apply and enforce policies as expected.

You can also enable AppArmor if you want to use it as a security module to enforce KubeArmor policies, please refer [here](FAQ.md#using-kubearmor-with-kind-clusters). There is a chance that neither AppArmor nor BPF-LSM is enabled on some nodes.

**We can apply the following manifest which automatically detects and installs BPFLSM/AppArmor whichever is needed in kubernetes worker nodes.**

```
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/controller/updaterscript.yaml
```

The above updater daemonset will update all the nodes at the same time and thus all the nodes will restart simultaneously. If you want a RollingUpdate of the nodes, then you can use the following command instead.

Following `updater` daemonset will enable the required LSM on the nodes (in the future if new nodes are dynamically added, those nodes will be auto enabled as well).
```
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/controller/ka-updater-kured.yaml
```
> Note: Nodes who do not have necessary LSM will be restarted after the deployment of updater.

**Warning:** After running the above script the nodes will restart.
Once the nodes are restarted, `karmor probe` would then show `Active LSM` with appropriate value.
</details>

<details><summary><h4>KubeArmor with WSL2</h4></summary>
Expand Down
6 changes: 4 additions & 2 deletions getting-started/support_matrix.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ KubeArmor supports following types of workloads:
| Google | [GKE] | Ubuntu >= 16.04 | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM], AppArmor | All [release channels][GKE-REL] |
| Microsoft | [AKS] | Ubuntu >= 18.04 | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM], AppArmor |
| Oracle | [OKE] | [UEK] >=7 | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM] | [Oracle Linux Server 8.7][OLS] |
| IBM | [IBM k8s Service][IKS] | Ubuntu | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM], AppArmor |
| IBM | [IKS] | Ubuntu | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM], AppArmor |
| Talos | [Talos k8s][TalosK8s] | Talos | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM] | [1540] |
| AWS | [EKS] | Amazon Linux 2 (kernel >=5.8) | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM] |
| AWS | [EKS] | Amazon Linux 2 (kernel <=5.4) | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: | SELinux |
| AWS | [EKS] | Ubuntu | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | AppArmor |
| AWS | [EKS] | [Bottlerocket] | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM] |
| AWS | [Graviton] | Ubuntu | ARM | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | AppArmor |
Expand All @@ -35,6 +35,8 @@ KubeArmor supports following types of workloads:
| Alibaba Cloud | [Alibaba] | Alibaba Cloud Linux 3.2104 LTS | x86_64 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | [BPFLSM] | [1650] |

[Observability]: workload_visibility.md
[TalosK8s]: https://www.siderolabs.com/platform/talos-os-for-kubernetes/
[1540]: https://github.com/kubearmor/KubeArmor/issues/1540
[Network-Segmentation]: network_segmentation.md
[GKE]: https://cloud.google.com/kubernetes-engine
[EKS]: https://aws.amazon.com/eks/
Expand Down
Loading