Zero Trust Architecture with Kubearmor on MS Azure

Zero Trust Architecture (ZTA) is a security model that assumes that every request, whether internal or external, is a threat. It is an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy 1.

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce the user-specified policies 2.

To apply the principles of Zero Trust to virtual machines in Azure, Microsoft recommends the following steps 3:

  1. Configure logical isolation for virtual machines.
  2. Leverage Role Based Access Control (RBAC).
  3. Secure virtual machine boot components.
  4. Minimize blast radius and segment access.
  5. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
  6. Isolate virtual machines with resource groups, secure their components, use double encryption, and enable advanced threat detection and protection.

Cybersecurity trends for 2022 include 4:

  1. Attack surface expansion.
  2. Identity system defense.
  3. Digital supply chain risk.
  4. Vendor consolidation.
  5. Cloud security posture management.
  6. Security mesh.
  7. Zero trust security.

To secure its environment, an organization can use KubeArmor to restrict specific behavior of process executions, file accesses, networking operations, and resource utilization inside of their workload. KubeArmor directly enforces security policies using Linux Security Modules (LSMs) for each workload based on the identities (e.g., labels) of given containers or workloads. KubeArmor produces alert logs for policy violations by monitoring the operations of containers’ processes using its eBPF-based monitor. KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions. KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers. KubeArmor provides a Kubernetes-native security enforcement engine that allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes 256.

Here is an example of how to deploy and configure KubeArmor in a Kubernetes environment:

  1. First, create a Kubernetes cluster. You can use Azure Kubernetes Service (AKS) to create a cluster.
  2. Install KubeArmor by running the following command:
kubectl apply -f
  1. Verify that KubeArmor is installed by running the following command:
kubectl get pods -n kube-system | grep kubearmor
  1. Create a policy file for KubeArmor. Here is an example policy file:
kind: KubeArmorPolicy
  name: example-policy
  - name: nginx
        type: svirt_sandbox_file_t
    - id: 1
      kind: FileAccess
      operation: execve
        path: /bin/bash
      action: audit
  1. Apply the policy file by running the following command:
kubectl apply -f example-policy.yaml
  1. Verify that the policy is applied by running the following command:
kubectl get kubearmorpolicies
  1. To test the policy, create a deployment with a container that violates the policy. Here is an example deployment file:
apiVersion: apps/v1
kind: Deployment
  name: nginx-deployment
  replicas: 1
      app: nginx
        app: nginx
      - name: nginx
        image: nginx
        - containerPort: 80
        command: ["/bin/bash"]
  1. Apply the deployment file by running the following command:
kubectl apply -f nginx-deployment.yaml
  1. Verify that the deployment is running by running the following command:
kubectl get pods
  1. Check the logs of the container to see if the policy is being enforced by running the following command:
kubectl logs <pod-name>

This is just a basic example of how to deploy and configure KubeArmor in a Kubernetes environment. For more information, please refer to the official KubeArmor documentation 1.

Discover more from Armel Nene's blog

Subscribe now to keep reading and get access to the full archive.

Continue reading