Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubearmor does not enforce anything on pod's entrypoint or execs to kubernetes pods #1728

Open
alexeysofin opened this issue Apr 18, 2024 · 0 comments
Open

Kubearmor does not enforce anything on pod's entrypoint or execs to kubernetes pods #1728

alexeysofin opened this issue Apr 18, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@alexeysofin
Copy link

Bug Report

General Information

  • Environment description
    kind k8s
  • Kernel version
Linux *** 6.5.0-27-generic #28~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Mar 15 10:51:06 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
  • Orchestration system version in use
Client Version: v1.28.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.2

To Reproduce

  1. Apply policy
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: allow-exec-binaries
  namespace: default
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /
      recursive: true
  process:
    matchPaths:
    - path: /usr/bin/sleep
    - path: /usr/sbin/nginx
  selector:
    matchLabels:
      app: nginx
  1. Create nginx deployment
kubectl create deployment nginx --image=nginx
  1. Exec to running pod
kubectl exec -ti $(kubectl get pod -l app=nginx -o name) -- bash

Expected behavior

Permission denied for bash or at least more clear documentation for how k8s exec commands and apparmor profiles are inter-related. Scrolling though code, I couldn't easily find what's happening either.

Generated apparmor profile looks as follows /etc/apparmor.d/kubearmor-default-nginx-nginx

## == Managed by KubeArmor == ##
#include <tunables/global>

## == Dispatcher profile START == ##
profile kubearmor-default-nginx-nginx flags=(attach_disconnected,mediate_deleted) {
	## == PRE START == ##
	#include <abstractions/base>
	
	network,
	capability,
	## == PRE END == ##
  
	## == File/Dir START == ##
	/{,**} klmrw,
	## == File/Dir END == ##
	## == DISPATCHER START == ##
	/usr/bin/sleep ix,
	/usr/sbin/nginx ix,
	## == DISPATCHER END == ##
  
  ## == Network START == ##
  ## == Network END == ##
  
  ## == Capabilities START == ##
  ## == Capabilities END == ##
  
	## == Native Policy START == ##

	## == Native Policy END == ##

  
	## == POST START == ##
	/lib/x86_64-linux-gnu/{*,**} rm,
	
	deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
	deny @{PROC}/sysrq-trigger rwklx,
	deny @{PROC}/mem rwklx,
	deny @{PROC}/kmem rwklx,
	deny @{PROC}/kcore rwklx,

	
	deny mount,
	

	deny /sys/[^f]*/** wklx,
	deny /sys/f[^s]*/** wklx,
	deny /sys/fs/[^c]*/** wklx,
	deny /sys/fs/c[^g]*/** wklx,
	deny /sys/fs/cg[^r]*/** wklx,
	deny /sys/firmware/efi/efivars/** rwklx,
	deny /sys/kernel/security/** rwklx,

	## == POST END == ##
}
## == Dispatcher profile END == ##

## == FromSource per binary profiles START == ##
## == FromSource per binary profiles END == ##

## == Templates section START == ##

And this same profile if applied without kubearmor does prevent bash or anything other than nginx/sleep from running which makes sense, moreover it prevents nginx from running because of missing some other permissions. Is kubearmor somewhat different in that regard? Maybe someone can at least point to the code where this logic that skips enforcement of commands lives.
@alexeysofin alexeysofin added the bug Something isn't working label Apr 18, 2024
@daemon1024 daemon1024 mentioned this issue Apr 19, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexeysofin