Policies Libraries

A community-owned library of Kubernetes System and Network policies

Policy Templates overview

Please follow the hierarchy while contribution

.
├── mitre
│   ├── network
│   │   └── cnp-firewall-world-block.yaml
│   ├── system
│   │   └── ksp-postgres-allow.yaml
│   │   └── ksp-privilage-pod-block.yaml
├── pci-dss
│   ├── network
│   │   └── cnp-cardholder-data-block.yaml
│   ├── system
│   │   └── ksp-protect-cardholder-data-audit.yaml
├── nist
│   ├── network
│   │   └── cnp-account-management-block.yaml
│   ├── system
│   │   └── ksp-remote-file-copy-block.yaml
│   │   └── ksp-active-directory-audit.yaml
├── cves
│   ├── network
│   │   └── cnp-CVE-2009-0932.yaml
│   ├── system
│   │   └── ksp-CVE-2021-29156.yaml
│   │   └── ksp-CVE-2021-29442.yaml
├── cis
│   ├── system
│   │   └── hsp-scheduler-pod-block.yaml
...

📖 Documentation

Please navigate to https://kubearmor.gitbook.io for detailed documentation to deploy KubeArmor and create own custom templates. We have also added a set of templates to help you understand how things work.

💪 Contributions

Policy-templates is powered by major contributions from the community and an initiative from AccuKnox. Refer Contribution for more info

💬 Discussion

Got questions / doubts / ideas to discuss? Feel free to open a discussion on Github discussions board.

👨‍💻 Test it yourself

Assuming cluster is configured, this can be verified via using kubectl config current-context command. If not follow this

Step #1: Download and install karmor CLI binary on your local machine

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Step #2: Install KubeArmor using karmor CLI tool

karmor install

Step #3: Deploy sample application on configured cluster, we'll use nginx as deployment here

kubectl apply -f https://k8s.io/examples/application/deployment.yaml
kubectl get pods -l app=nginx

Step #4: Applying MITRE Policy to block system owner discovery command

kubectl apply -f https://raw.githubusercontent.com/kubearmor/policy-templates/main/mitre/system/ksp-mitre-system-owner-user-discovery.yaml

Step #05: Checking if system owner command is Blocked or not

kubectl exec -it --namespace default nginx-deployment-xxxxxxxxxx-xxxxx -- bash
root@nginx-deployment-687d8556b7-8wjmj:/# whoami
bash: /usr/bin/whoami: Permission denied

Replace nginx-deployment-xxxxxxxxxx-xxxxx with pod name from Step #3.
We can see the command didn't executed and instead we got Permission denied

Step #6: Getting telemetry/alerts for KubeArmor

kubectl port-forward -n kube-system svc/kubearmor 32767:32767

Keep this terminal open, and in another terminal type

karmor log

Name		Name	Last commit message	Last commit date
Latest commit History 2,259 Commits
MySQL/system		MySQL/system
cassandra		cassandra
cis/system		cis/system
cve		cve
django		django
elastic		elastic
exposures		exposures
golang/system		golang/system
java/system		java/system
logs/system		logs/system
malware		malware
misconfiguration		misconfiguration
mitre		mitre
nginx		nginx
nist		nist
npm/system		npm/system
pci-dss		pci-dss
postgresql/system		postgresql/system
python		python
ransomware/network		ransomware/network
redis		redis
stigs		stigs
wordpress/system		wordpress/system
CONTRIBUTING.MD		CONTRIBUTING.MD
LICENSE		LICENSE
README.md		README.md
metadata.yaml		metadata.yaml

License

kubearmor/policy-templates

Folders and files

Latest commit

History

Repository files navigation

Policies Libraries

Policy Templates overview

📖 Documentation

💪 Contributions

💬 Discussion

👨‍💻 Test it yourself

About

Topics

Resources

License

Stars

Watchers

Forks