Security Considerations in KubeArmor

This document highlights key security considerations and improvements for KubeArmor, focusing on enhancing the overall security posture of the project.

1. Improving Scorecard Score for KubeArmor

Description: Focus on enhancing KubeArmor’s security score in the OpenSSF scorecard by addressing best practices and improving code quality.
Reference: Improve Scorecard Score for KubeArmor

2. Rootless Container Support and Reducing the KubeArmor Base Image (Moved to UBI)

Description: Support running KubeArmor in rootless containers to reduce privileges and minimize security risks, and migrate to the Universal Base Image (UBI) to reduce the size of KubeArmor images and remove unnecessary packages.
Reference: UBI Migration

3. Remove Cluster-Admin Role Dependency

Description: Minimize the use of the cluster-admin role, reducing the broad permissions granted to KubeArmor components.

4. Seccomp Profile for KubeArmor

Description: Apply seccomp profiles to restrict the system calls that KubeArmor can use, reducing the attack surface.

5. Dogfooding and Use of Hardening Policies for KubeArmor Pod

Description: Apply KubeArmor's own security policies (self-testing) and enforce strict hardening policies, such as process whitelisting, to protect the KubeArmor agent.

6. TLS for Intra-KubeArmor Communication

Description: Ensure that all internal communication between KubeArmor components is encrypted using TLS to protect against eavesdropping.

7. Fix Critical Vulnerabilities Across KubeArmor Images

Description: Identify and resolve critical security vulnerabilities present in all KubeArmor container images.

8. Fuzz Testing for KubeArmor

Description: Implement fuzz testing to identify potential security vulnerabilities in KubeArmor by testing with unexpected or random inputs.
Reference: Fuzz Testing for KubeArmor

9. Remove Unnecessary HostPaths from Manifests

Description: Review and remove any unnecessary hostPath mounts from the KubeArmor deployment to minimize exposure to the host filesystem.
Reference: HostPath Mounts Used by KubeArmor

10. Remove Unnecessary Capabilities from Manifests

Description: Strip away any unneeded capabilities from the KubeArmor manifests to adhere to the principle of least privilege.
Reference: Capabilities Required by KubeArmor

11. Using OCI Hooks for Container Events

Description: Leverage OCI hooks to capture container lifecycle events without relying on hostPID and hostNetwork.
Reference: Leverage OCI Hooks for Container Events

Additional Documentation

For more detailed security enhancements, refer to the following document:

KubeArmor Security Enhancements

Provide feedback

Saved searches

Use saved searches to filter your results more quickly