Single policy to block everything expect few source #1588
-
|
We're trying to understand the policy for the containers. We have already read about security policy What we want to achieve is to block file access to /run/secrets directory expect from the php process, currently we have to define two policies. If we do this blacklist mode is enabled because of the allow action, this means we have to specify the all of the other path in the container.
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: aws-creds-allow-php
namespace: test
spec:
selector:
matchLabels:
repository: test
file:
matchDirectories:
- dir: /run/secrets/
fromSource:
- path: /usr/local/bin/php
action:
Allow. ==> This fallback to defaultPosture
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: aws-creds-block
namespace: test
spec:
selector:
matchLabels:
repository: test
file:
matchDirectories:
- dir: /run/secrets/
action:
BlockIs there a way to achieve this without the blacklist mode behaviour? |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments 1 reply
-
|
Hey @janavenkat, this is a very valid usecase. And we already have a particular example which describes this exact usecase KubeArmor/tests/k8s_env/smoke/res/ksp-wordpress-lenient-allow-sa.yaml Lines 11 to 21 in 0b27784 If you see here, we are blocking access to the service account folder and only allowing it to /bin/cat. It involves both blacklist and whitelist behaviour so you cannot change the DefaultPosture just to audit the access. |
Beta Was this translation helpful? Give feedback.
-
|
@daemon1024 thank you for the reply, much appreciated. I am trying to find another example. For instance, a process cannot call a subprocess. It can execute itself, but it cannot call id. |
Beta Was this translation helpful? Give feedback.
-
It's confusing for me to understand. Since in the doc it's says https://github.com/kubearmor/KubeArmor/blob/event-auditor/getting-started/consideration_in_policy_action.md
Since my defaultposture is to block and after defining allow and block together it's whitelisted as describe in the docs. Is it possible to easily define? May be enforce defaultposture to block. |
Beta Was this translation helpful? Give feedback.
-
|
@daemon1024 looking forward for the reply. |
Beta Was this translation helpful? Give feedback.
-
|
@daemon1024 looking forward for the reply. |
Beta Was this translation helpful? Give feedback.
-
|
Hey @janavenkat, Sorry for the really late response
A standard whitelisting policy would work here right? I am not sure about the question here. What is it that is not achievable based on #1588 (comment)? |
Beta Was this translation helpful? Give feedback.
Hey @janavenkat, this is a very valid usecase. And we already have a particular example which describes this exact usecase
KubeArmor/tests/k8s_env/smoke/res/ksp-wordpress-lenient-allow-sa.yaml
Lines 11 to 21 in 0b27784
If you see here, we are blocking access to the service account folder and only allowing it to /bin/cat.
It involves both blacklist and whitelist behaviour so you cannot change the Defaul…