Kubearmor does not enforce anything on pod's entrypoint or execs to kubernetes pods

Question

Kubearmor does not enforce anything on pod's entrypoint or execs to kubernetes pods

Opened this issue 8 months ago · 1 comments

Bug Report

General Information

Environment description
kind k8s
Kernel version

Linux *** 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Orchestration system version in use

Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.2

To Reproduce

Apply policy

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: allow-exec-binaries
  namespace: default
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /
      recursive: true
  process:
    matchPaths:
    - path: /usr/bin/sleep
    - path: /usr/sbin/nginx
  selector:
    matchLabels:
      app: nginx

Create nginx deployment

kubectl create deployment nginx --image=nginx

Exec to running pod

kubectl exec -ti $(kubectl get pod -l app=nginx -o name) -- bash

Expected behavior

Permission denied for bash or at least more clear documentation for how k8s exec commands and apparmor profiles are inter-related. Scrolling though code, I couldn't easily find what's happening either.

Generated apparmor profile looks as follows /etc/apparmor.d/kubearmor-default-nginx-nginx

## == Managed by KubeArmor == ##
#include <tunables/global>

## == Dispatcher profile START == ##
profile kubearmor-default-nginx-nginx flags=(attach_disconnected,mediate_deleted) {
	## == PRE START == ##
	#include <abstractions/base>
	
	network,
	capability,
	## == PRE END == ##
  
	## == File/Dir START == ##
	/{,**} klmrw,
	## == File/Dir END == ##
	## == DISPATCHER START == ##
	/usr/bin/sleep ix,
	/usr/sbin/nginx ix,
	## == DISPATCHER END == ##
  
  ## == Network START == ##
  ## == Network END == ##
  
  ## == Capabilities START == ##
  ## == Capabilities END == ##
  
	## == Native Policy START == ##

	## == Native Policy END == ##

  
	## == POST START == ##
	/lib/x86_64-linux-gnu/{*,**} rm,
	
	deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/mem rwklx,
	deny @{PROC}/kmem rwklx,
	deny @{PROC}/kcore rwklx,

	
	deny mount,
	

	deny /sys/[^f]*/** wklx,
	deny /sys/f[^s]*/** wklx,
	deny /sys/fs/[^c]*/** wklx,
	deny /sys/fs/c[^g]*/** wklx,
	deny /sys/fs/cg[^r]*/** wklx,
	deny /sys/firmware/efi/efivars/** rwklx,
	deny /sys/kernel/security/** rwklx,

	## == POST END == ##
}
## == Dispatcher profile END == ##

## == FromSource per binary profiles START == ##
## == FromSource per binary profiles END == ##

## == Templates section START == ##

And this same profile if applied without kubearmor does prevent bash or anything other than nginx/sleep from running which makes sense, moreover it prevents nginx from running because of missing some other permissions. Is kubearmor somewhat different in that regard? Maybe someone can at least point to the code where this logic that skips enforcement of commands lives.

Answer 1 · 2024-06-10T20:27:23.000Z

Hey @alexeysofin, we tried this scenario ourselves and we found that the behaviour is the same of the apparmor profiles irrespective of the kubearmor presence.

I've tried out this same profile and in the absence of kubearmor, kubectl exec is not blocked, this is the expected behaviour.
PTAL https://github.com/kubearmor/KubeArmor/wiki/Enforcer-Feature-Parity