Zero Trust Architecture with Kubearmor on MS Azure

Zero Trust Architecture (ZTA) is a security model that assumes that every request, whether internal or external, is a threat. It is an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy ¹.

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level. KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce the user-specified policies ².

To apply the principles of Zero Trust to virtual machines in Azure, Microsoft recommends the following steps ³:

1. Configure logical isolation for virtual machines.
2. Leverage Role Based Access Control (RBAC).
3. Secure virtual machine boot components.
4. Minimize blast radius and segment access.
5. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
6. Isolate virtual machines with resource groups, secure their components, use double encryption, and enable advanced threat detection and protection.

Cybersecurity trends for 2022 include ⁴:

1. Attack surface expansion.
2. Identity system defense.
3. Digital supply chain risk.
4. Vendor consolidation.
5. Cloud security posture management.
6. Security mesh.
7. Zero trust security.

To secure its environment, an organization can use KubeArmor to restrict specific behavior of process executions, file accesses, networking operations, and resource utilization inside of their workload. KubeArmor directly enforces security policies using Linux Security Modules (LSMs) for each workload based on the identities (e.g., labels) of given containers or workloads. KubeArmor produces alert logs for policy violations by monitoring the operations of containers’ processes using its eBPF-based monitor. KubeArmor manages internal complexities associated with LSMs and provides easy semantics for policy definitions. KubeArmor allows applying policy settings at the level of network system calls, controlling interactions among containers. KubeArmor provides a Kubernetes-native security enforcement engine that allows operators to define security policies based on Kubernetes metadata and simply apply them into Kubernetes ²⁵⁶.

Here is an example of how to deploy and configure KubeArmor in a Kubernetes environment:

1. First, create a Kubernetes cluster. You can use Azure Kubernetes Service (AKS) to create a cluster.
2. Install KubeArmor by running the following command:

kubectl apply -f https://raw.githubusercontent.com/kubearmor/kubearmor/master/deploy/kubearmor.yaml

3. Verify that KubeArmor is installed by running the following command:

kubectl get pods -n kube-system | grep kubearmor

4. Create a policy file for KubeArmor. Here is an example policy file:

apiVersion: security.kubearmor.com/v1beta1
kind: KubeArmorPolicy
metadata:
  name: example-policy
spec:
  containers:
  - name: nginx
    securityContext:
      seLinuxOptions:
        type: svirt_sandbox_file_t
    rules:
    - id: 1
      apiVersion: security.kubearmor.com/v1beta1
      kind: FileAccess
      operation: execve
      match:
        path: /bin/bash
      action: audit

5. Apply the policy file by running the following command:

kubectl apply -f example-policy.yaml

6. Verify that the policy is applied by running the following command:

kubectl get kubearmorpolicies

7. To test the policy, create a deployment with a container that violates the policy. Here is an example deployment file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80
        command: ["/bin/bash"]

8. Apply the deployment file by running the following command:

kubectl apply -f nginx-deployment.yaml

9. Verify that the deployment is running by running the following command:

kubectl get pods

10. Check the logs of the container to see if the policy is being enforced by running the following command:

kubectl logs <pod-name>

This is just a basic example of how to deploy and configure KubeArmor in a Kubernetes environment. For more information, please refer to the official KubeArmor documentation ¹.