v1.5.0 release checklist
Opened this issue · 7 comments
rksharma95 commented
Release Checklist
- Manual Tests
- EKS - BottleRocket
- EKS - Gravitron (ARM64)
- EKS - Amazon Linux 2
- GKE COS (AppArmor)
- GKE COS (BPF-LSM)
- RHEL (certain BPF_LSM primitives are not available on RHEL)
- minikube - VM Based
- AKS Cluster - Ubuntu
- AKS Cluster - Azure Linux - No AppArmor packages
- VM support - test kubearmor packages without k8s on RHEL and Debian based systems
- VM Support - Docker Compose
- KubeArmor Performance Benchmarking Data for BPF-LSM
- Seccomp implementation in all cluster envs mentioned above
- MarketPlace Image updates
- Release Blog
- Mark as stable release
- Update to getting-started guide for helm
- Does it require a manual update to Operator bundle? (changes required)
- Check helm charts has been released
Note: Release checklist is needed since testing of certain platforms is not automated in CI env due to non-technical (primarily cost) concerns.
rksharma95 commented
@Aryan-sharma11 EKS, AKS
@rksharma95 Marketplaces, RHEL, VM, Talos
@rootxrishabh GKE, NRI
@daemon1024 Release Blog
rksharma95 commented
Environment: VM
Orchestration system: Unorchestrated
Tests: https://github.com/kubearmor/KubeArmor/tree/main/tests/nonk8s_env
Ubuntu 20.04.6 LTS
Found KubeArmor running in Systemd mode
Host :
OS Image: Ubuntu 20.04.6 LTS
Kernel Version: 5.4.0-169-generic
Kubelet Version:
Container Runtime:
Active LSM: AppArmor
Host Security: true
Container Security: true
Container Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: process,file,network,capabilities
Armored Up Containers :
+-----------------+------------------+
| CONTAINER NAME | POLICY |
+-----------------+------------------+
| wordpress-mysql | ksp-block-policy |
+-----------------+------------------+
/home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21
> Enter [AfterSuite] TOP-LEVEL - /home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/21/25 08:21:12.141
< Exit [AfterSuite] TOP-LEVEL - /home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/21/25 08:21:18.056 (5.916s)
[AfterSuite] PASSED [5.916 seconds]
------------------------------
Ran 4 of 4 Specs in 115.236 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS
Ginkgo ran 1 suite in 2m54.211143847s
Test Suite Passed
Red Hat Enterprise Linux 9.5
Found KubeArmor running in Systemd mode
Host :
OS Image: Red Hat Enterprise Linux 9.5 (Plow)
Kernel Version: 5.14.0-503.15.1.el9_5.x86_64
Kubelet Version:
Container Runtime:
Active LSM: BPFLSM
Host Security: true
Container Security: true
Container Default Posture: audit(File) audit(Cap
abilities) audit(Network)
Host Default Posture: audit(File) audit(Cap
abilities) audit(Network)
Host Visibility: process,file,network,capabilities
Armored Up Containers :
+-----------------+------------------+
| CONTAINER NAME | POLICY |
+-----------------+------------------+
| wordpress-mysql | ksp-block-policy |
+-----------------+------------------+
[AfterSuite]
/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21
> Enter [AfterSuite] TOP-LEVEL - /home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/22/25 07:18:28.476
< Exit [AfterSuite] TOP-LEVEL - /home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/22/25 07:18:33.999 (5.523s)
[AfterSuite] PASSED [5.523 seconds]
------------------------------
Ran 4 of 4 Specs in 18.840 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS
Ginkgo ran 1 suite in 26.398071969s
Test Suite Passed
$ docker exec -it wordpress-mysql apt
exec /usr/bin/apt: permission denied
== Alert / 2025-01-22 08:09:55.394043 ==
ClusterName: default
HostName: ip-172-31-18-72.ec2.internal
NamespaceName: container_namespace
PodName: wordpress-mysql
Labels: com.docker.compose.oneoff=False,com.docker.compose.project.working_dir=/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/res/wordpress_docker,com.docker.compose.config-hash=262f147e472b4380f054219d231be78c05d3b91e71134b5d0403d125c81fa400,com.docker.compose.container-number=1,com.docker.compose.project=wordpress_docker,com.docker.compose.project.config_files=/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/res/wordpress_docker/compose.yaml,com.docker.compose.service=wordpress,com.docker.compose.version=2.32.4,com.docker.compose.depends_on=,com.docker.compose.image=sha256:c012b71a41fc3c0c778ba2d120c275cc75f5181852be1bff3402eb21d5a758de,namespaceName=container_namespace,kubearmor.io/container.name=wordpress-mysql
ContainerName: wordpress-mysql
ContainerID: 76351f7d85f15a5d1a48dcb68678da70c445add3998466e903a4e3417c5f2a79
ContainerImage: wordpress:latest
Type: MatchedPolicy
PolicyName: ksp-block-policy
Severity: 3
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
Cwd: /var/www/html/
HostPID: 37474
HostPPID: 37463
PID: 62
PPID: 0
ProcessName: /usr/bin/apt
TTY: pts0
UID: 0
rksharma95 commented
Environment: EKS
Orchestration system: Orchestrated
Tests: https://github.com/kubearmor/KubeArmor/tree/main/tests/k8s_env
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
ip-172-31-23-222.ec2.internal Ready <none> 92m v1.31.4-eks-aeac579 172.31.23.222 34.229.14.244 Amazon Linux 2 5.10.230-223.885.amzn2.x86_64 containerd://1.7.23
ip-172-31-24-125.ec2.internal Ready <none> 61m v1.31.3-eks-7636447 172.31.24.125 54.208.125.7 Bottlerocket OS 1.31.0 (aws-k8s-1.31) 6.1.119 containerd://1.7.24+bottlerocket
ip-172-31-64-200.ec2.internal Ready <none> 94m v1.31.4-eks-aeac579 172.31.64.200 44.197.206.184 Amazon Linux 2 5.10.230-223.885.amzn2.aarch64 containerd://1.7.23
karmor probe
Found KubeArmor running in Kubernetes
Daemonset :
kubearmor Desired: 3 Ready: 3 Available: 3
Deployments :
kubearmor-controller Desired: 1 Ready: 1 Available: 1
kubearmor-operator Desired: 1 Ready: 1 Available: 1
kubearmor-relay Desired: 1 Ready: 1 Available: 1
Containers :
kubearmor-bpf-containerd-98c2c-2x7vz Running: 1 Image Version: kubearmor/kubearmor:latest
kubearmor-bpf-containerd-98c2c-mhglx Running: 1 Image Version: kubearmor/kubearmor:latest
kubearmor-bpf-containerd-98c2c-nssql Running: 1 Image Version: kubearmor/kubearmor:latest
kubearmor-controller-8684dbc7c6-bhc5q Running: 1 Image Version: kubearmor/kubearmor-controller:latest
kubearmor-operator-8468587df9-v8p8l Running: 1 Image Version: kubearmor/kubearmor-operator:latest
kubearmor-relay-fb966b895-vxmxf Running: 1 Image Version: kubearmor/kubearmor-relay-server:latest
Node 1 :
OS Image: Amazon Linux 2
Kernel Version: 5.10.230-223.885.amzn2.aarch64
Kubelet Version: v1.31.4-eks-aeac579
Container Runtime: containerd://1.7.23
Active LSM:
Host Security: false
Container Security: false
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: none
Node 2 :
OS Image: Bottlerocket OS 1.31.0 (aws-k8s-1.31)
Kernel Version: 6.1.119
Kubelet Version: v1.31.3-eks-7636447
Container Runtime: containerd://1.7.24+bottlerocket
Active LSM: BPFLSM
Host Security: false
Container Security: true
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: none
Node 3 :
OS Image: Amazon Linux 2
Kernel Version: 5.10.230-223.885.amzn2.x86_64
Kubelet Version: v1.31.4-eks-aeac579
Container Runtime: containerd://1.7.23
Active LSM: BPFLSM
Host Security: false
Container Security: true
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: none
Armored Up pods :
+-----------+-----------------+------------+------+--------+
| NAMESPACE | DEFAULT POSTURE | VISIBILITY | NAME | POLICY |
+-----------+-----------------+------------+------+--------+
+-----------+-----------------+------------+------+--------+
Performance
Pod: kubearmor-bpf-containerd-98c2c-2x7vz
Average CPU (m): 4.81
Average Memory (MiB): 60.83
Peak CPU (m): 47
Peak Memory (MiB): 87
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Pod: kubearmor-bpf-containerd-98c2c-mhglx
Average CPU (m): 8.15
Average Memory (MiB): 135.92
Peak CPU (m): 355
Peak Memory (MiB): 167
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Pod: kubearmor-bpf-containerd-98c2c-nssql
Average CPU (m): 30.95
Average Memory (MiB): 78.13
Peak CPU (m): 722
Peak Memory (MiB): 106
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Pod: kubearmor-controller-8684dbc7c6-bhc5q
Average CPU (m): 1.82
Average Memory (MiB): 16.14
Peak CPU (m): 6
Peak Memory (MiB): 18
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Pod: kubearmor-operator-8468587df9-v8p8l
Average CPU (m): 2.52
Average Memory (MiB): 9.83
Peak CPU (m): 4
Peak Memory (MiB): 10
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Pod: kubearmor-relay-fb966b895-vxmxf
Average CPU (m): 10.90
Average Memory (MiB): 11.40
Peak CPU (m): 44
Peak Memory (MiB): 16
Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Test Result
Ginkgo ran 10 suites in 23m55.383333199s
Test Suite Passed
rksharma95 commented
Environment: OpenShift
Orchestration system: Orchestrated
oc get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
crc Ready control-plane,master,worker 120d v1.30.4 192.168.126.11 <none> Red Hat Enterprise Linux CoreOS 417.94.202409121747-0 5.14.0-427.35.1.el9_4.x86_64 cri-o://1.30.5-7.rhaos4.17.git2e89940.el9
karmor probe
karmor probe
Found KubeArmor running in Kubernetes
Daemonset :
kubearmor Desired: 1 Ready: 1 Available: 1
Deployments :
kubearmor-controller Desired: 1 Ready: 1 Available: 1
kubearmor-relay Desired: 1 Ready: 1 Available: 1
Containers :
kubearmor-snitch-j28hx-g2pbf Running: 1 Image Version: docker.io/kubearmor/kubearmor-snitch@sha256:6ed475b122785e7fea6941ef2e81a8c558707a348d917c6fc3b8476750d343d5
kubearmor-bpf-cri-o-47653-2vkzx Running: 1 Image Version: docker.io/kubearmor/kubearmor-ubi@sha256:0c335fb514a173ffb70ff56d0d613bbcfd103331429ef4ea7e3e515eabd77b34
kubearmor-controller-8845f7f8d-c4cj9 Running: 1 Image Version: docker.io/kubearmor/kubearmor-controller@sha256:eed7383b3c58deccb063ea621f32c1661d50412e343d56f4631b63901b1da51f
kubearmor-operator-596c785d46-mzg84 Running: 1 Image Version: docker.io/kubearmor/kubearmor-operator@sha256:1bceb45544fe2d0b8cb7d985cb6b42b2cc2f4ad09d57aff9fd407dc142a59b8a
kubearmor-relay-9f5d74cbf-rnmd8 Running: 1 Image Version: docker.io/kubearmor/kubearmor-relay-server@sha256:ac1c41c2d69caa7e53546ec2ae33bc868a0d1dc8bd1d649ef25b397ec220f31f
Node 1 :
OS Image: Red Hat Enterprise Linux CoreOS 417.94.202409121747-0
Kernel Version: 5.14.0-427.35.1.el9_4.x86_64
Kubelet Version: v1.30.4
Container Runtime: cri-o://1.30.5-7.rhaos4.17.git2e89940.el9
Active LSM: BPFLSM
Host Security: false
Container Security: true
Container Default Posture: block(File) block(Capabilities) block(Network)
Host Default Posture: audit(File) audit(Capabilities) audit(Network)
Host Visibility: none
karmor logs
karmor logs
local port to be used for port forwarding kubearmor-relay-9f5d74cbf-rnmd8: 32851
Created a gRPC client (localhost:32851)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2025-01-27 11:52:12.514772 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/pts/ptmx
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR|O_NOCTTY|O_CLOEXEC
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.514789 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/pts/0
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.515946 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-remote-services
Severity: 3
Message: Warning! access sensitive files detected
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /etc/passwd
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDONLY|O_CLOEXEC
Enforcer: BPFLSM
Result: Passed
ATags: [5G FGT1021 FIGHT MITRE MITRE_T1021_Remote_Services]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: 5G,FGT1021,FIGHT,MITRE,MITRE_T1021_Remote_Services
UID: 0
== Alert / 2025-01-27 11:52:12.518307 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/tty
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.518352 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh
Resource: /dev/tty
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82983
HostPPID: 82976
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 49
PPID: 43
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:14.648461 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 82983
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.648228 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 49
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
TTY: pts0
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.648674 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 49
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
TTY: pts0
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.649937 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 82983
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
rootxrishabh commented
Environment: GKE
Orchestration system: Orchestrated
Enforcer: BPFLSM
O.S: Container Optimized OS
Ran 17 of 19 Specs in 236.789 seconds
SUCCESS! -- 17 Passed | 0 Failed | 0 Pending | 2 Skipped
PASS
Ginkgo ran 1 suite in 4m2.127196858s
Test Suite Passedrootxrishabh commented
Environment: GKE
Orchestration system: Orchestrated
Enforcer: AppArmor
O.S: Container Optimized OS
Summarizing 1 Failure:
[FAIL] Smoke Policy Apply [It] can block execution of pkg mgmt tools such as apt, apt-get
/home/rootxrishabh/accuknox/KubeArmor/tests/k8s_env/smoke/smoke_test.go:85
Ran 9 of 9 Specs in 249.345 seconds
FAIL! -- 8 Passed | 1 Failed | 0 Pending | 0 Skipped
--- FAIL: TestSmoke (249.35s)
FAIL
Ginkgo ran 1 suite in 4m15.698470445s
Test Suite Failedrksharma95 commented
AWS Listing will be updated with upcoming release with updated stable relay.