►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe in Amsterdam, The Netherlands from April 17-21, 2023. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Armoring Cloud Native Workloads With LSM Superpowers - Barun Acharya, Accuknox
Speakers: Barun Acharya
Containers are not protected by default as the various tools for security into place provides perimeter security at the host, or the network and not necessarily the workload itself. LSMs(Linux Security Modules) provide with security hooks necessary to set up least permissive perimeter for various workloads. KubeArmor is a cloud-native runtime security enforcement system that leverages various LSMs to secure your workloads. LSMs are a really powerful system but they come with a high barrier of entry, steep learning curve and do not provide enough metadata for modern cloud native workloads. This talk will be about how KubeArmor leverages LSM superpowers to abstract away the complexities to help protect modern cloud native workloads, how we leverage eBPF to provide context about what's happening in the containers, how various kernel primitives fair with each to protect modern container workloads and what design considerations/challenges for integrating various LSM into KubeArmor.
A
Hello,
everyone
thank
you
for
joining
me
on
my
session
on
armoring
cloud
native
workloads
with
LSM
superpowers.
I
am
varunachada.
I
am
a
software
engineering
intern
at
equinox,
working
on
open
source,
Cloud
Security
Solutions,
with
the
various
advantages
that
containers
provide
organizations
worldwide
are
rapidly
adopting
containers
in
one
form
or
another.
A
We
usually
have
some
static
analyzers
in
place,
but
they
only
let
us
know
about
what
known
vulnerabilities
are.
Containers
are
vulnerable
to,
but
recent
vulnerabilities,
like
log
4J
and
pawn
kit,
could
not
have
been
detected.
Statically.
That's
like
zero
days.
Malware
meant
to
evade
analyzers
and
privileges
escalation.
Attempts
manifest
at
runtime
and
cannot
be
detected
statically.
A
So
how
do
we
deal
with
vulnerabilities
that
manifest
at
runtime?
We
deal
with
them
at
runtime,
so
container,
runtime
security?
We
actively
monitor,
what's
happening
with
our
containers
at
runtime
and
try
to
detect
for
the
malicious
in
depth.
But
how
do
we
go
about
this
to
better
understand?
Let's
go
through
an
analogy:
let's
imagine,
containers
as
a
private
apartment,
a
private
apartment
with
John
and
Jane
each
having
their
own
rooms.
They
have
a
kitchen
and
some
maintenance
staff
around
John
and
Jane
value.
A
A
Let's
take
this
analogy
back
to
Containers.
We
have
now
a
WordPress
app,
a
MySQL
app.
They
each
have
their
own
configurations
and
directory.
They
need
shared
libraries
to
function,
and
then
we
have
cat
and
PS
and
other
maintenance.
Binaries
that
help
us
around
in
case
something
is
broken
but
like
I
mentioned,
Apache
WordPress
should
only
be
able
to
access
the
WordPress,
config
and
MySQL
app
should
only
be
able
to
access
the
MySQL
directory,
but
what?
A
If
they
try
to
access
something
else
themselves
or
the
files
are
being
accessed
by
someone
else
specific
other
than
the
binaries?
We
know
that
something
malicious
is
happening.
They
cannot
really
restrict
Jon
and
Jane
to
tell
them
what
to
do
violating
their
human
rights,
but
we
can
restrict
our
containers
to
tell
them
what
to
do
and
prevent
them
from
from
performing
actions
like
these,
we
have
established
the
fact
that
containers
are
not
a
black
box.
We
need
to
profile
and
understand
the
entities
inside
the
containers
as
well.
A
Even
if
we
imagine
whatever
is
happening
inside
containers
won't
have
anything
outside
our
containers
have
access
to
the
outside
configurations
as
well.
Containers
have
to
network
with
the
world
and
the
other
peer
Network
containers.
They
access
capabilities
from
the
kernel,
their
access
to
host
Define
Mount
points
as
well.
A
Now
what?
If
a
malicious
binary
somehow
enters
the
container,
it
would
gain
to
access
it
would
gain
access
to
all
these
Mount
points,
Network
and
capabilities.
Hence,
there's
a
need
to
understand
the
entities
inside
our
container.
We
need
to
profile
our
containers
beforehand
and
have
fine-grained
access
control
such
that,
even
if
a
malicious
binary
sneaks
in
somehow
it
won't
be
able
to
do
anything.
A
So
so,
let's
see
what
we
need
to
enforce
this
fine
grained
Access
Control
at
runtime.
There
are
two
ways
to
go
about
it.
Once
we
detect
the
malicious
activity,
we
alert
the
activity
and
take
action
on
the
activity
after
we
receive
the
alert
or
as
soon
as
the
malicious
activity
is
detected,
the
action
is
taken
by
a
security
engine
already,
and
then
we
receive
the
alert
for
further
investigation.
A
The
prime
method
is
called
acing
enforcement.
Essentially
we
restart
detection
engine
receives
the
kernel
event,
it
alerts
us
and
we
then
decide
to
terminate
the
activity,
but
once
this
entire
cycle
happens,
the
malicious
activity
could
have
already
sneaked
into
deeper
areas
of
our
container.
So
the
other
method
is
inline
enforcement.
As
soon
as
we
detect
that
there's
a
malicious
activity,
we
deny
it
then
and
there
itself,
and
then
we
received
the
alert
for
further
investigation
that
what
might
have
triggered
this.
A
A
Let's
take
a
first
date:
let's
take
another
look
at
ldp
load.
First,
LD
payload
is
a
user
space
control.
It
overrides
Dynamic
libraries
and
applications
go
through
these
libraries,
so
we
have
fine-grained
access
control
over
them,
but
attackers
can
invoke
CIS
calls
without
going
through
the
dynamic
libraries
at
all
suppose,
go
Application
statically
embed
their
binaries
with
the
library
files,
so
they
never
need
to
go
through
the
modified
library
at
all.
A
Next,
second,
let's
say
sandbox.
Our
containers
with
various
system
calls
what
what
system
calls
is
accessible
to
them.
It
is
natively
integrated
with
kubernetes,
Docker
and
other
container
runtimes,
but
the
issue
here
is
that
Dynamic
enforcement
is
not
possible
and
there
are
limited
filtering
options.
We
cannot
decide
inside
a
container
what
application
needs
to
access,
what
systems
response
it
treats
container
as
a
single
entity.
A
A
We
have
Port
security
context.
Pod
security
context
defines
the
privilege
and
access
control
settings
for
a
port
or
a
container
security
content.
Settings
include,
but
are
not
limited
to
Second
capabilities,
app
armor
and
SL
Linux
setcom
capable.
Let's
take
a
look
at
SEC
comp
capabilities
and
SC
Linux.
First,
they,
the
issue
with
them,
is
that
they
treat
container
as
a
single
entity
and
apply
the
security
posture
across
the
container.
A
But,
as
we
discussed
earlier,
we
needed
that
fine
growth,
fine
grain
control
over
the
entities
inside
our
contactor,
then
we
have
a
power
mode.
App
armor,
app
armor
provides
us
with
the
prime
gained
access
control
we
needed
and
it
is
well
integrated
with
the
modern
ecosystem.
We
can
apply
annotations
to
link
it
to
our
apparent
profile,
but
then
we
have
a
learning
curve
associated
with
the
apartment
policy.
Language
also
app
armor
is
not
readily
available
on
all
the
systems.
A
A
So
defining
a
problem
statement.
We
need
access
control
on
container
entities.
We
need
a
declarative
way
to
manage
policies
for
these
Access
Control.
We
need
inline
policy
enforcement
and
importantly,
we
need
the
Telemetry
events
to
have
the
context
introducing
Cube
armor
Cube
armor
is
a
cloud
native
runtime
security
enforcement
system
that
restricts
the
behavior,
such
as
process
execution,
file,
accesses
and
network
operations
of
containers
and
nodes
at
the
system
level.
A
Cube
armor
then
listens
to
the
security
policies
that
user
sends
and
converts
them
into
the
kernel
space
rules
to
have
inline
Access
Control
inside
containers,
utilizes
ebpf
for
observability
lets
us
extend
kernel
in
a
safe
and
performance.
It
has
established
itself
in
the
cloud
native
space
and
is
a
go-to
solution
for
observability
these
days
and
then
Q
barma
utilizes
lsms
for
enforcement.
When
Q
Barber
receives
the
policies
it
converts
them
into
app.
A
Armor
profiles,
dpfls
and
bytecode,
or
SC
Linux
labels
which
are
enforced
and
are
responsible
for
the
decision
making
inside
corner,
as
we
established
earlier.
Lsms
are
a
proven
technology
for
Access,
Control
and
paired
with
ebpf
and
leveraging
information
from
container
apis.
We
have
a
holistic
solution
per
container
runtime
security
system.
A
Let's
check
out
Q
barber
in
action,
some
context
about
what
we
are
going
to
see
in
the
demo.
We
will
have
an
Apache,
WordPress
MySQL
application,
which
in
which
we
will
showcase
how
we
can
allow
specific
entities
and
deny
the
rest
how
we
can
restrict
our
application.
Access
to
certain
kernel
calls
so
also
kubernetes,
auto
mode
service
account
tokens,
even
if
we
or
like
set
it
or
set
Auto
Mount
to
false,
which
Bill
might
need
access
to
those
tokens.
A
A
A
A
So
this
is
how
a
sample
Cube
armor
policy,
looks
like
we
Define
it
as
cube
armor
policy
we
can
specify
which
selector
labeled
it
should
match
upon
to.
We
have
file
Network
processes
and
other
entities
that
we
can
specify
and,
finally,
our
action,
which
can
be
allowed
to
specify
whitelisting
policies,
block
2,
specify
blacklisting
and
we
can
audit
things
as
well.
In
this
policy,
we
are
trying
to
block
access
to
anything
inside
the
misql
directory.
A
As
soon
as
we
try
to
write
a
file
to
this
directory,
The
Bash
told
us
that
permission
is
delayed
and
a
relevant
Telemetry
event
was
generated
for
us,
the
Telemetry
event
included
what
was
the
host?
What
name
space
What
part?
What
was
the
container
ID
container
image
all
the
relevant
information
that
would
not
have
been
available
in
our
audit
logs
is
available
here,
and
these
it
also
includes,
which
was
the
policy
that
caused
it
to
be
denied,
and
what
was
the
file
process
name
file?