-
Notifications
You must be signed in to change notification settings - Fork 350
Enforcer Feature Parity
Barun Acharya edited this page Jan 24, 2024
·
2 revisions
KubeArmor leverages LSMs for enforcement, there's a disparity in how KubeArmor functions with whichever LSM is available. Here's a summarised table for that.
Feature/Behaviour | BPF LSM | AppArmor |
---|---|---|
kubectl exec | Policy Enforced on Immediate Child | Policy not Enforced on Immediate Child |
Deployment with allowPrivilegeEscalation to false
|
Full Enforcement | Limited Enforcement |
Policy Enforcement for matchPatterns
|
Not Supported | Globbing Syntax Support |
Network Rules | Full Enforcement | ICMP Rules not working |
Accurate Alerting | Alert generated when blocked | Alerts generated from eBPF monitor based on deterministic policy matching |