Skip to content

Support for BPF-LSM for policy enforcement #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
9 of 10 tasks
nyrahul opened this issue Nov 15, 2021 · 5 comments · Fixed by #741
Closed
9 of 10 tasks

Support for BPF-LSM for policy enforcement #484

nyrahul opened this issue Nov 15, 2021 · 5 comments · Fixed by #741
Labels
enhancement New feature or request roadmap Roadmap feature for KubeArmor
Milestone
v0.5

Comments

@nyrahul
Copy link
Contributor

nyrahul commented Nov 15, 2021
edited
Loading

Feature Request

Currently, KubeArmor supports AppArmor for policy enforcement. SELinux has several limitations on what can be achieved from enforcement point of view.

The new LSM on the corner, the BPF-LSM shows a lot of promise. It essentially will allow KubeArmor to insert eBPF bytecode at LSM hooks. BPF-LSM could do away with the limitations of AppArmor, SELinux internal policy constructs and allow for flexible way of enforcing user-specified policies on containers/hosts.

Why BPF-LSM for KubeArmor?

  • BPF-LSM can improve coverage for KubeAmor on platforms not supporting AppArmor
  • BPF-LSM is a stackable LSM .. which means we can use BPF-LSM in parallel with existing AppArmor, SELinux. KubeArmor will read events from any LSM and couple it with k8s metadata for alerts/telemetry purpose (this is already supported).
  • Most of the latest images supporting kernel version > 5.10 already have inbuilt support for BPF-LSM

The primary limitation with BPF-LSM is that it is supported only with latest kernel versions.

Task list:

  • Network based rules
  • File/Process based rules
  • fromSource based rules
  • defaultPosture and namespace based posture
  • wildcard support
  • Deployment: EKS Bottlerocket
  • Deployment: EKS AL2
  • System tests
  • Ability to enforce policies generated by discovery-engine
  • Host based policies

Is your feature request related to a problem? Please describe the use case.
The primary use-case is to get better coverage and more flexible policy engine.

Describe the solution you'd like
A detailed design document needs to be prepared for handling this.

Which images from cloud providers currently support BPF-LSM?

  • EKS Amazon Linux 2
  • EKS Bottlerocket
  • Ubuntu 20.10 images across EKS/GKE

CC: @daemon1024 @weirdwiz @nam-jaehyun
@nyrahul nyrahul added the enhancement New feature or request label Nov 15, 2021
@nyrahul nyrahul changed the title Support for BPF-LSM in KubeArmor for policy enforcement Support for BPF-LSM for policy enforcement Nov 16, 2021
@nyrahul nyrahul added the help wanted Extra attention is needed label Nov 18, 2021
@JeongyoonMoon
Copy link

Can I work on this? I could start on December 20, 2021. I have experience in LSM eBPF while implementing a research prototype with @nam-jaehyun.

@nyrahul
Copy link
Contributor Author

nyrahul commented Nov 22, 2021

Can I work on this? I could start on December 20, 2021. I have experience in LSM eBPF while implementing a research prototype with @nam-jaehyun.

Thank you for the interest. Currently, we are in the phase of analyzing whether BPF LSM can be used for existing policy constructs that are presently fulfilled by AppArmor. @weirdwiz, can you share the analysis xls and may be we can split up the analysis work? WDYT? @nam-jaehyun @weirdwiz

@weirdwiz
Copy link
Contributor

weirdwiz commented Nov 22, 2021
edited by nyrahul
Loading

Spreadsheets containing different POCs

@JeongyoonMoon
Copy link

Thank you for the reply. Ok, then please let me know when the analysis ends. I want to participate in the analysis, but I have to focus on other things until December 20, 2021.

@nyrahul nyrahul added the roadmap Roadmap feature for KubeArmor label Feb 15, 2022
@nyrahul nyrahul mentioned this issue Mar 2, 2022
Merged
@nyrahul
Copy link
Contributor Author

nyrahul commented Jun 6, 2022

The design document used for BPF-LSM.

@daemon1024 daemon1024 pinned this issue Jun 17, 2022
This was referenced Jun 20, 2022
Merged
Closed
@daemon1024 daemon1024 linked a pull request Jun 30, 2022 that will close this issue
KubeArmor BPF LSM Enforcer #741
Merged
9 tasks
@nyrahul nyrahul added this to the v0.5 milestone Jul 4, 2022
@nyrahul nyrahul removed the help wanted Extra attention is needed label Jul 4, 2022
@nyrahul nyrahul unpinned this issue Jul 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request roadmap Roadmap feature for KubeArmor
Projects
None yet
Milestone
v0.5
Development

Successfully merging a pull request may close this issue.

KubeArmor BPF LSM Enforcer daemon1024/KubeArmor
3 participants
@nyrahul @weirdwiz @JeongyoonMoon