Skip to content

kubearmor/KubeArmor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

3,954 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Build Status CII Best Practices CLOMonitor OpenSSF Scorecard FOSSA Status FOSSA Status Slack Discussions Docker Downloads ArtifactHub

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level.

KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.

πŸ’ͺ Harden Infrastructure
⛓️ Protect critical paths such as cert bundles
πŸ“‹ MITRE, STIGs, CIS based rules
πŸ›… Restrict access to raw DB table
πŸ’ Least Permissive Access
πŸš₯ Process Whitelisting
πŸš₯ Network Whitelisting
πŸŽ›οΈ Control access to sensitive assets
πŸ”­ Application Behavior
🧬 Process execs, File System accesses
🧭 Service binds, Ingress, Egress connections
πŸ”¬ Sensitive system call profiling
❄️ Deployment Models
☸️ Kubernetes Deployment
πŸ‹ Containerized Deployment
πŸ’» VM/Bare-Metal Deployment

Architecture Overview

KubeArmor High Level Design

Documentation πŸ““

Contributors πŸ‘₯

Biweekly Meeting

Community & Governance

KubeArmor is a community-governed project. The following documents describe how the project is run:

Notice/Credits 🀝

  • KubeArmor uses Tracee's system call utility functions.

CNCF

KubeArmor is Sandbox Project of the Cloud Native Computing Foundation. CNCF SandBox Project

ROADMAP

KubeArmor roadmap is tracked via KubeArmor Projects

Related Repositories

KubeArmor is more than a single repository. The following repositories under the kubearmor GitHub organization are part of the wider project. Each is governed under GOVERNANCE.md β€” see the Subprojects section there for how core and community subprojects are classified.

Note: This list covers actively maintained repositories. For the complete (including archived) list, see the organization page.

Core

Repository What it is
KubeArmor The main runtime security enforcement daemon. This repository.
kubearmor-client karmor, the official command-line tool for installing, configuring, and observing KubeArmor.
charts Official Helm charts for KubeArmor and the KubeArmor Operator.
policy-templates Community-curated library of System and Network policy templates for KubeArmor (and Cilium).
kubearmor.io Source for the kubearmor.io website.
.project Project metadata for CNCF .project automation (CLOMonitor, landscape, etc.).

Integrations and adapters

Repository What it is
otel-adapter OpenTelemetry receiver for KubeArmor events and alerts.
kubearmor-prometheus-exporter Prometheus exporter for KubeArmor metrics.
kubearmor-relay-server Relay/log streaming server that aggregates events from KubeArmor agents.
kubearmor-kafka-client Kafka client for streaming KubeArmor logs to a Kafka cluster.
kubearmor-log-client Standalone log client (stdout or file) for consuming KubeArmor logs.
grafana-datasource Grafana data source backend for visualising KubeArmor data.
kubearmor-dashboards ELK-stack dashboards for KubeArmor logs and alerts.
kubearmor-action GitHub Action that runs KubeArmor against a workload for CI security checks.
rancherui Rancher Manager UI extension for managing KubeArmor through Rancher.
sidekick Glue to connect KubeArmor events into downstream ecosystems.

Deployment and packaging

Repository What it is
custom-packages Custom .deb / .rpm packaging definitions.
packer-plugin-kubearmor HashiCorp Packer plugin for baking KubeArmor into images.

Specialised projects

Repository What it is
k8tls (Pronounced cattles) β€” assesses server port security by detecting TLS and certificate configuration.
modelarmor ML model security, including pickle-injection PoC and adversarial-attack demos.
kvm-service Service for orchestrating KubeArmor policies to VMs and bare-metal hosts via either a Kubernetes or non-Kubernetes control plane.
libbpf Go eBPF helper library based on the upstream libbpf API.
kbc KubeArmor Benchmark Calculator.

This list is generated iteratively β€” open a pull request to add a new repository or correct a description.

About

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (LSM-BPF, AppArmor).

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Contributors