{"id":40141159,"url":"https://github.com/open-horizon/kubearmor-integration","last_synced_at":"2026-01-19T14:30:42.993Z","repository":{"id":91073961,"uuid":"526758005","full_name":"open-horizon/kubearmor-integration","owner":"open-horizon","description":"KubeArmor runtime security integration with Open Horizon","archived":false,"fork":false,"pushed_at":"2025-05-03T22:42:03.000Z","size":422,"stargazers_count":12,"open_issues_count":0,"forks_count":3,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-05-03T23:25:50.607Z","etag":null,"topics":["docker","edge","horizon","kubearmor","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/open-horizon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-08-19T21:36:46.000Z","updated_at":"2025-05-03T22:41:55.000Z","dependencies_parsed_at":null,"dependency_job_id":"fa3abae5-fc23-464d-87c7-193dbd34a94b","html_url":"https://github.com/open-horizon/kubearmor-integration","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/open-horizon/kubearmor-integration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-horizon%2Fkubearmor-integration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-horizon%2Fkubearmor-integration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-horizon%2Fkubearmor-integration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-horizon%2Fkubearmor-integration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/open-horizon","download_url":"https://codeload.github.com/open-horizon/kubearmor-integration/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/open-horizon%2Fkubearmor-integration/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28571769,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T12:50:50.164Z","status":"ssl_error","status_checked_at":"2026-01-19T12:50:42.704Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","edge","horizon","kubearmor","security"],"created_at":"2026-01-19T14:30:37.579Z","updated_at":"2026-01-19T14:30:42.920Z","avatar_url":"https://github.com/open-horizon.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# KubeArmor security for Open Horizon workloads / agent\n\nKubeArmor is a runtime security engine that can protect k8s-orchestrated, or\npure containerized workloads as well as VM/Bare-Metal based workloads. Open\nHorizon deploys the edge workloads in either containerized mode or k8s\norchestrated mode. The Open Horizon Edge Agent operates directly on the host as\na systemd process.\n\n![KubeArmor Open Horizon integration](docs/OH-edge-kubearmor.png)\n\nKubeArmor running on the edge node provides visibility and protection for all the processes, files, or network operations in the containers as well as those running directly on the host.\n\n**Observability:** KubeArmor can provide container-aware observability information about the operations happening:\n\n1) from Agent node to Management Hub (and vice-versa)\n2) between the containers and the agent edge node\n3) inside the containers running on the Agent node\n\n**Enforcement:** KubeArmor can be used to apply security postures at the kernel level (using LSMs like AppArmor, BPF-LSM). It can protect both the host and workloads running on it by enforcing either some predefined security policies or automatically generated least permissive security policies (using Discovery Engine).\n\nKubeArmor already supports k8s-orchestrated workloads and provides [KVMService](https://github.com/kubearmor/kvm-service) that allows orchestrating security policies to VMs for non-k8s environments.\nWith v0.5.5 release, KubeArmor supports standalone un-orchestrated containers. KubeArmor in this mode supports both enforcement and observability of the host and the containers running on it.\n\n## KubeArmor on Open Horizon\n\n\u003e **Note**\n\u003e This guide assumes both the Open Horizon Management Hub and Agent VM are running Ubuntu 20.04.\nWe will first need to install Open Horizon Management Hub and Agent node components. For that please follow the [Open Horizon setup](https://github.com/kubearmor/KubeArmor/wiki/Open-Horizon-setup) guide.\nWe also assume that [Open Horizon Home Assistant service](https://github.com/open-horizon-services/service-homeassistant) is running on the agent edge node.\n\n![KubeArmor Open Horizon details](docs/OH-detailed.png)\n\nNow we will run KubeArmor as a systemd process on the Open Horizon Agent VM\n\n## Installation KubeArmor, kArmor, and Discovery Engine\n\n### **KubeArmor Installation:**\n\n\u003e **Note:** For distributions other than Ubuntu/Debian\n\u003e\n\u003e i. Refer [Installing BCC](https://github.com/iovisor/bcc/blob/master/INSTALL.md#installing-bcc) to install pre-requisites.\n\u003e ii. Download release tarball from KubeArmor [releases](https://github.com/kubearmor/KubeArmor/releases)\n\u003e\n\u003e ```bash\n\u003e wget https://github.com/kubearmor/KubeArmor/releases/download/v0.9.0/kubearmor_0.9.0_linux-amd64.tar.gz\n\u003e ```\n\u003e\n\u003e iii. Unpack the tarball to the root directory:\n\u003e\n\u003e ```bash\n\u003e sudo tar --no-overwrite-dir -C / -xzf kubearmor_0.9.0_linux-amd64.tar.gz\n\u003e ```\n\u003e\n\n1. Download the [latest release](https://github.com/kubearmor/KubeArmor/releases) of KubeArmor\n\n   ```bash\n   wget https://github.com/kubearmor/KubeArmor/releases/download/v0.9.0/kubearmor_0.9.0_linux-amd64.deb\n   ```\n\n2. Install KubeArmor\n\n   ```bash\n   sudo apt install ./kubearmor_0.9.0_linux-amd64.deb\n   ```\n\n   \u003e Note that the above automatically installs `bpfcc-tools` with our package, but your distribution might have an older version of BCC. In case of errors, consider installing `bcc` from [source](https://github.com/iovisor/bcc/blob/master/INSTALL.md#source).\n\n3. Start KubeArmor\n\n   ```bash\n   sudo systemctl daemon-reload\n   sudo systemctl start kubearmor\n   ```\n\n4. To check KubeArmor running status\n\n   ```bash\n   sudo journalctl -u kubearmor -f\n   ```\n\n### **kArmor Installation:**\n\n\u003e **Note** kArmor should already be installed by the above KubeArmor installation. Check installation using `karmor version`.\n\nIf kArmor is not installed run:\n\n```bash\ncurl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin\n```\n\n### **Discovery Engine Installation:**\n\n\u003e **Note:** For distributions other than Ubuntu/Debian\n\u003e\n\u003e i. Download release tarball from KubeArmor [releases](https://github.com/kubearmor/KubeArmor/releases)\n\u003e\n\u003e ```bash\n\u003e wget https://github.com/accuknox/discovery-engine/releases/download/v0.6.3/knoxAutoPolicy_0.6.3_linux-amd64.tar.gz\n\u003e ```\n\u003e\n\u003e ii. Unpack the tarball to the root directory:\n\u003e\n\u003e ```bash\n\u003e sudo tar --no-overwrite-dir -C / -xzf knoxAutoPolicy_0.6.3_linux-amd64.tar.gz\n\u003e ```\n\u003e\n\n**Note:** If you have previously installed discovery-engine, it's advised to restart the service: `sudo systemctl restart knoxAutoPolicy`\n\n1. Download the [latest release](https://github.com/accuknox/discovery-engine/releases) of Discovery Engine\n\n   ```bash\n   wget https://github.com/accuknox/discovery-engine/releases/download/v0.6.3/knoxAutoPolicy_0.6.3_linux-amd64.deb\n   ```\n\n2. Install Discovery Engine\n\n   ```bash\n   sudo apt install ./knoxAutoPolicy_0.6.3_linux-amd64.deb\n   ```\n\n3. Start Discovery Engine\n\n   ```bash\n   sudo systemctl daemon-reload\n   sudo systemctl start knoxAutoPolicy\n   ```\n\n4. To check Discovery Engine running status\n\n   ```bash\n   sudo journalctl -u knoxAutoPolicy -f\n   ```\n\n5. To see alerts on policy violation, run:\n\n   ```bash\n   karmor log\n   ```\n\n6. Now, let's apply a sample policy: *block-secrets-access.yaml* using:\n\n   ```bash\n   karmor vm policy add block-secrets-access.yaml\n   ```\n\n**block-secrets-access.yaml**\n\n```yaml\napiVersion: security.kubearmor.com/v1\nkind: KubeArmorPolicy\nmetadata:\n  name: block-certificates-access\nspec:\n  severity: 10\n  message: \"a critical file was accessed\"\n  tags:\n  - WARNING\n  selector:\n    matchLabels:\n      kubearmor.io/container.name: homeassistant\n  process:\n    matchPaths:\n      - path: /usr/sbin/update-ca-certificates\n  file:\n    matchDirectories:\n    - dir: /usr/share/ca-certificates/\n      recursive: true\n    - dir: /etc/ssl/\n      recursive: true\n  action:\n    Block\n```\n\nNote: Additional predefined policies and auto-discovered policy can be found here: [https://github.com/kubearmor/openhorizon-demo/tree/main/Open-Horizon/policies](https://github.com/kubearmor/openhorizon-demo/tree/main/Open-Horizon/policies)\n\nHere, notice the field `kubearmor.io/container.name: homeassistant` homeassistant is the container name to which we want to apply the policy.\n\n**karmor log**\n\n```yaml\nHostName: knownymousagent-VirtualBox\nNamespaceName: container_namespace\nPodName: homeassistant\nContainerName: homeassistant\nContainerID: 77c3916a24f74915cd7d2eb51ff6a2425c3b4d6e72b805f735800d023d355338\nType: MatchedPolicy\nPolicyName: block-certificates-access\nSeverity: 10\nMessage: a critical file was accessed\nSource: /bin/bash\nResource: /usr/sbin/update-ca-certificates\nOperation: Process\nAction: Block\nData: syscall=SYS_EXECVE\nEnforcer: AppArmor\nResult: Permission denied\nHostPID: 4922\nHostPPID: 4912\nPID: 116\nPPID: 110\nParentProcessName: /bin/bash\nProcessName: /usr/sbin/update-ca-certificates\nTags: WARNING\n```\n\n**Available filters**\n\n```text\n--logFilter \u003csystem|policy|all\u003e - Filter to receive general system logs (system) or alerts on policy violation (policy) or both (all).\n--logType \u003cContainerLog|HostLog\u003e - Source of logs - ContainerLog: logs from containers or HostLog: logs from the host\n--operation \u003cProcess|File|Network\u003e - Type of logs based on process, file or network\n--container - Specify container name to view container specific logs\n```\n\nThis will create an AppArmor profile at `/etc/apparmor.d/` with the name `kubearmor_\u003ccontainername\u003e` (kubearmor_homeassistant here) and will load the profile to AppArmor.\n\n### Apply the AppArmor profile to the desired container\n\nTo run a container with KubeArmor enforcement using the AppArmor profile kubearmor_homeassistant, pass `--security-opt apparmor=kubearmor_homeassistant` with the `docker run` command or if using docker-compose add:`security_opts: apparmor=kubearmor_homeassistant` under the container name in the docker-compose.yaml.\n\n## Auto discover least permissive security policy\n\n`karmor discover` tool can be used to automatically generate security policies. The output of the command can be redirected to a yaml file\n\n```bash\nkarmor discover --format yaml --labels \"kubearmor.io/container.name=homeassistant\" \u003e discovered_policy.yaml\n```\n\nThis yaml file can be applied to KubeArmor to provide the least permissive security posture for the homeassistant-service container.\n\nTo apply security policy `discovered_policy.yaml`\n\n```bash\nkarmor vm policy add discovered_policy.yaml\n```\n\n\u003e **Note**: Host security policies are identified by `kind: KubeArmorHostPolicy` and Container security policies have `kind: KubeArmorPolicy`.\n\n### Uninstall KubeArmor, kArmor, and Discovery Engine\n\nWe will first stop the KubeArmor and Discovery Engine system service and then will uninstall the packages.\n\n```bash\nsudo systemctl stop kubearmor knoxAutoPolicy\nsudo apt remove --purge kubearmor knoxautopolicy karmor\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-horizon%2Fkubearmor-integration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopen-horizon%2Fkubearmor-integration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopen-horizon%2Fkubearmor-integration/lists"}