{"id":15036930,"url":"https://github.com/kubearmor/kubearmor","last_synced_at":"2026-04-02T23:24:55.319Z","repository":{"id":36973547,"uuid":"316098156","full_name":"kubearmor/KubeArmor","owner":"kubearmor","description":"Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).","archived":false,"fork":false,"pushed_at":"2025-05-09T17:26:54.000Z","size":61391,"stargazers_count":1720,"open_issues_count":258,"forks_count":367,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-05-12T08:28:31.044Z","etag":null,"topics":["bpf","containers","ebpf","hacktoberfest","kernel","kubernetes","lsm","policy","sandbox","security","system","tool"],"latest_commit_sha":null,"homepage":"https://kubearmor.io/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kubearmor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-11-26T01:59:16.000Z","updated_at":"2025-05-12T08:26:25.000Z","dependencies_parsed_at":"2023-10-10T16:55:39.818Z","dependency_job_id":"19e1764e-82e0-4cb5-9966-cf66fa16d495","html_url":"https://github.com/kubearmor/KubeArmor","commit_stats":{"total_commits":2236,"total_committers":112,"mean_commits":"19.964285714285715","dds":0.5782647584973166,"last_synced_commit":"3481433fae33f813535363766dcd913c6a0014b5"},"previous_names":[],"tags_count":54,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubearmor%2FKubeArmor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubearmor%2FKubeArmor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubearmor%2FKubeArmor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kubearmor%2FKubeArmor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kubearmor","download_url":"https://codeload.github.com/kubearmor/KubeArmor/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254000848,"owners_count":21997441,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","containers","ebpf","hacktoberfest","kernel","kubernetes","lsm","policy","sandbox","security","system","tool"],"created_at":"2024-09-24T20:32:47.971Z","updated_at":"2026-04-02T23:24:55.313Z","avatar_url":"https://github.com/kubearmor.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![](.gitbook/assets/logo.png)\n\n[![Build Status](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml/badge.svg)](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml/)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5401/badge)](https://bestpractices.coreinfrastructure.org/projects/5401)\n[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kubearmor/badge)](https://clomonitor.io/projects/cncf/kubearmor)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubearmor/kubearmor/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor.svg?type=shield\u0026issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)\n[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor.svg?type=shield\u0026issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)\n[![Slack](https://img.shields.io/badge/Join%20Our%20Community-Slack-blue)](https://cloud-native.slack.com/archives/C02R319HVL3)\n[![Discussions](https://img.shields.io/badge/Got%20Questions%3F-Chat-Violet)](https://github.com/kubearmor/KubeArmor/discussions)\n[![Docker Downloads](https://img.shields.io/docker/pulls/kubearmor/kubearmor)](https://hub.docker.com/r/kubearmor/kubearmor)\n[![ArtifactHub](https://img.shields.io/badge/ArtifactHub-KubeArmor-blue?logo=artifacthub\u0026labelColor=grey\u0026color=green)](https://artifacthub.io/packages/search?kind=19)\n\nKubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \\(such as process execution, file access, and networking operations\\) of pods, containers, and nodes (VMs) at the system level.\n\nKubeArmor leverages [Linux security modules \\(LSMs\\)](https://en.wikipedia.org/wiki/Linux_Security_Modules) such as [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://docs.kernel.org/bpf/prog_lsm.html) to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.\n\n|  |   |\n|:---|:---|\n| :muscle: **[Harden Infrastructure](getting-started/hardening_guide.md)** \u003chr\u003e:chains: Protect critical paths such as cert bundles \u003cbr\u003e:clipboard: MITRE, STIGs, CIS based rules \u003cbr\u003e:left_luggage: Restrict access to raw DB table | :ring: **[Least Permissive Access](getting-started/least_permissive_access.md)** \u003chr\u003e:traffic_light: Process Whitelisting \u003cbr\u003e:traffic_light: Network Whitelisting \u003cbr\u003e:control_knobs: Control access to sensitive assets |\n| :telescope: **[Application Behavior](getting-started/workload_visibility.md)** \u003chr\u003e:dna: Process execs, File System accesses \u003cbr\u003e:compass: Service binds, Ingress, Egress connections \u003cbr\u003e:microscope: Sensitive system call profiling | :snowflake: **[Deployment Models](getting-started/deployment_models.md)** \u003chr\u003e:wheel_of_dharma: Kubernetes Deployment\u003cbr\u003e:whale2: Containerized Deployment\u003cbr\u003e:computer: VM/Bare-Metal Deployment |\n\n## Architecture Overview\n\n![KubeArmor High Level Design](.gitbook/assets/kubearmor_overview.png)\n\n## Documentation :notebook:\n\n* :point_right: [Getting Started](getting-started/deployment_guide.md)\n* :dart: [Use Cases](getting-started/use-cases/hardening.md)\n* :heavy_check_mark: [KubeArmor Support Matrix](getting-started/support_matrix.md)\n* :chess_pawn: [How is KubeArmor different?](getting-started/differentiation.md)\n* :scroll: Security Policy for Pods/Containers [[Spec](getting-started/security_policy_specification.md)] [[Examples](getting-started/security_policy_examples.md)]\n* :scroll: Cluster level security Policy for Pods/Containers [[Spec](getting-started/cluster_security_policy_specification.md)] [[Examples](getting-started/cluster_security_policy_examples.md)]\n* :scroll: Security Policy for Hosts/Nodes [[Spec](getting-started/host_security_policy_specification.md)] [[Examples](getting-started/host_security_policy_examples.md)]\n* :scroll: Network Security Policy for Hosts/Nodes [[Spec](getting-started/network_security_policy_specification.md)] [[Examples](getting-started/network_security_policy_examples.md)]\u003cbr\u003e\n... [detailed documentation](https://docs.kubearmor.io/kubearmor/)\n\n### Contributors :busts_in_silhouette:\n\n* :blue_book: [Contribution Guide](contribution/contribution_guide.md)\n* :technologist: [Development Guide](contribution/development_guide.md), [Testing Guide](contribution/testing_guide.md)\n* :raised_hand: [Join KubeArmor Slack](https://cloud-native.slack.com/archives/C02R319HVL3)\n* :question: [FAQs](getting-started/FAQ.md)\n\n### Biweekly Meeting\n\n- :speaking_head: [Zoom Link](http://zoom.kubearmor.io)\n- :page_facing_up: Minutes: [Document](https://docs.google.com/document/d/1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs/edit)\n- :calendar: Calendar invite: [Google Calendar](http://www.google.com/calendar/event?action=TEMPLATE\u0026dates=20220210T150000Z%2F20220210T153000Z\u0026text=KubeArmor%20Community%20Call\u0026location=\u0026details=%3Ca%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs%2Fedit%22%3EMinutes%20of%20Meeting%3C%2Fa%3E%0A%0A%3Ca%20href%3D%22%20http%3A%2F%2Fzoom.kubearmor.io%22%3EZoom%20Link%3C%2Fa%3E\u0026recur=RRULE:FREQ=WEEKLY;INTERVAL=2;BYDAY=TH\u0026ctz=Asia/Calcutta), [ICS file](getting-started/resources/KubeArmorMeetup.ics)\n\n## Notice/Credits :handshake:\n\n- KubeArmor uses [Tracee](https://github.com/aquasecurity/tracee/)'s system call utility functions.\n\n## CNCF\n\nKubeArmor is [Sandbox Project](https://www.cncf.io/projects/kubearmor/) of the Cloud Native Computing Foundation.\n![CNCF SandBox Project](.gitbook/assets/cncf-sandbox.png)\n\n## ROADMAP\n\nKubeArmor roadmap is tracked via [KubeArmor Projects](https://github.com/orgs/kubearmor/projects?query=is%3Aopen)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubearmor%2Fkubearmor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkubearmor%2Fkubearmor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkubearmor%2Fkubearmor/lists"}