Amazon Linux 2 Support for BPF-LSM #1005
Comments
|
@vennemp , this seems strange... Can you provide us with the AMI ID so that we can setup a local env? |
|
@vennemp , can you explain the steps on how to get this setup done? Thanks |
|
@nyrahul Sorry just saw this. I used the latest AL2 K8s 1.21 ami - ami-0ebf68cf21e6c55fd (there may be anewer one). This uses kernel 5.4 by default so I manually updated the kernel to 5.15 using the steps outlined here. https://aws.amazon.com/premiumsupport/knowledge-center/amazon-linux-2-kernel-upgrade/ Are there additionally packages that need to be installed? I reached out to our TAM at AWS and they did not have any guidance on this - they only had guidance for Bottlerocket. However, even that was not working after following the instructions in this article. Maybe I'm missing something. Are there custom packages that need to be installed for BPF-LSM to be enabled on AL2 and Bottlerocket? |
|
Hey @vennemp , thank you for the response. We will setup this env ourselves and check this support. As mentioned in the kubearmor support matrix, with the default amazon linux (kernel 5.4) only audit will work. But with higher kernel versions, the BPF-LSM typically is available and should work. We validated this before by installing amazon linux 2 (kernel 5.8) on an EC2 instance and then using k3s on top it. Btw, the EKS Bottlerocket simply works with these 3 steps: |
|
I have run this and it works it still does not show blocking mode - just audit mode. But it does show BPF-LSM mode enabled |
|
Disregard the last piece - it appears to just be a bug in the karmor probe command. I created a sample policy to block sleep and it successfully blocked. Appreciate your help. Let me know what you find with the AL2 support |
The Host/Container Security is set to The "Default Posture" indicates what should happen to actions that are not in the allowed list. Should they be audited or blocked? For e.g., if you have the following policy, apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: auto-generarated-policy
namespace: dvwa
spec:
action: Allow
file:
matchDirectories:
- dir: /
recursive: true
process:
matchPaths:
- path: /usr/sbin/apache2
- path: /bin/ping
selector:
matchLabels:
app: dvwa-web
tier: frontend
severity: 1
---The policy states that allow execution of only Further regarding Default Posture, it is possible to set posture at individual namespace level (ref). For e.g, you can have two namespaces, one with default audit and another with default block. Our users indicated that they have workloads with different maturity in different namespaces and hence they would like different default postures. Hope this makes sense. Would be great to hear your thoughts on this. |
|
That makes sense! Thank you for the explanation. How is it coming with the analysis of AL2 / EBF-LPM support? |
|
Hey @vennemp, Good News! We know the reason why BPF-LSM didn't work for AL2 5.15 kernel. Al2 5.15 kernel already has BPF-LSM enabled but the bpf filesystem is not mounted. If you mount the bpf filesystem from the AL2 node, it will work. Steps:
We will check how to automate the fs mounting. This will be automated in v0.9 for sure. karmor probe output |
I have AL2 EKS worker nodes running on Kernel version 5.15. Do you have any guidance or documentation on enabling BPF-LSM in kubearmor for AL2 nodes?
The active LSM is blank and all the Postures are listed as "audit" mode.
The text was updated successfully, but these errors were encountered: