# KubeArmor

<https://github.com/kubearmor/KubeArmor>

![](https://296194292-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLoAqAoOfr7XVUQw7Gff8%2Fuploads%2Fgit-blob-e6d14fd78f87efa0b8803a3f6fdf04093d66d094%2Flogo.png?alt=media)

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level.

KubeArmor leverages [Linux security modules (LSMs)](https://en.wikipedia.org/wiki/Linux_Security_Modules) such as [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://docs.kernel.org/bpf/prog_lsm.html) to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.

| 💪 <https://github.com/kubearmor/KubeArmor/blob/main/getting-started/hardening\\_guide.md> ⛓️ Protect critical paths such as cert bundles 📋 MITRE, STIGs, CIS based rules 🛅 Restrict access to raw DB table          | 💍 <https://github.com/kubearmor/KubeArmor/blob/main/getting-started/least\\_permissive\\_access.md> 🚥 Process Whitelisting 🚥 Network Whitelisting 🎛️ Control access to sensitive assets |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 🔭 <https://github.com/kubearmor/KubeArmor/blob/main/getting-started/workload\\_visibility.md> 🧬 Process execs, File System accesses 🧭 Service binds, Ingress, Egress connections 🔬 Sensitive system call profiling | ❄️ <https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment\\_models.md> ☸️ Kubernetes Deployment🐋 Containerized Deployment💻 VM/Bare-Metal Deployment                 |

## [Architecture Overview](https://github.com/kubearmor/KubeArmor#architecture-overview)

![](https://296194292-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLoAqAoOfr7XVUQw7Gff8%2Fuploads%2Fgit-blob-636a74f59e3a57dcaa17485e9c6165bd1fc89bc8%2Fkubearmor_overview.png?alt=media)

## [Documentation 📓](https://github.com/kubearmor/KubeArmor#documentation-notebook)

* 👉 [Getting Started](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/deployment_guide/README.md)
* 🎯 [Use Cases](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/use-cases/README.md)
* ✔️ [KubeArmor Support Matrix](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/support_matrix/README.md)
* ♟️ [How is KubeArmor different?](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/differentiation/README.md)
* 📜 Security Policy for Pods/Containers \[[Spec](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/security_policy_specification/README.md)] \[[Examples](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/security_policy_examples/README.md)]
* 📜 Security Policy for Hosts/Nodes \[[Spec](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/host_security_policy_specification/README.md)] \[[Examples](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/host_security_policy_examples/README.md)] ... [detailed documentation](https://docs.kubearmor.io/kubearmor/)

### [Contributors 👥](https://github.com/kubearmor/KubeArmor#contributors-busts_in_silhouette)

* 📘 [Contribution Guide](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/contribution_guide/README.md)
* 🧑‍💻 [Development Guide](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/development_guide/README.md), [Testing Guide](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/testing_guide/README.md)
* ✋ [Join KubeArmor Slack](https://join.slack.com/t/kubearmor/shared_invite/zt-1ltmqdbc6-rSHw~LM6MesZZasmP2hAcA)
* ❓ [FAQs](https://gitlab.com/johnmkane/tech-recipe-book/-/blob/main/Book/Architect/Kubernetes/Isolation/KubeArmor/FAQ/README.md)

### [Biweekly Meeting](https://github.com/kubearmor/KubeArmor#biweekly-meeting)

* 🗣️ [Zoom Link](http://zoom.kubearmor.io/)
* 📄 Minutes: [Document](https://docs.google.com/document/d/1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs/edit)
* 📆 Calendar invite: [Google Calendar](http://www.google.com/calendar/event?action=TEMPLATE\&dates=20220210T150000Z%2F20220210T153000Z\&text=KubeArmor%20Community%20Call\&location=\&details=%3Ca%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs%2Fedit%22%3EMinutes%20of%20Meeting%3C%2Fa%3E%0A%0A%3Ca%20href%3D%22%20http%3A%2F%2Fzoom.kubearmor.io%22%3EZoom%20Link%3C%2Fa%3E\&recur=RRULE:FREQ=WEEKLY;INTERVAL=2;BYDAY=TH\&ctz=Asia/Calcutta), [ICS file](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/resources/KubeArmorMeetup.ics)

## [Notice/Credits 🤝](https://github.com/kubearmor/KubeArmor#noticecredits-handshake)

* KubeArmor uses [Tracee](https://github.com/aquasecurity/tracee/)'s system call utility functions.

## [CNCF](https://github.com/kubearmor/KubeArmor#cncf)

KubeArmor is [Sandbox Project](https://www.cncf.io/projects/kubearmor/) of the Cloud Native Computing Foundation.

![](https://296194292-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLoAqAoOfr7XVUQw7Gff8%2Fuploads%2Fgit-blob-4623d5e5b6d7d045cc7650c43a3701994357d19e%2Fcncf-sandbox.png?alt=media)