Armoring Cloud Native Workloads With LSM Superpowers

Cube armor is a cloud native runtime security enforcement system that provides fine-grained access control on container entities, with a declarative way to manage policies for access control, inline policy enforcement, and Telemetry data with context.

• Cube armor provides fine-grained access control on container entities
• Cube armor offers a declarative way to manage policies for access control
• Cube armor has inline policy enforcement
• Cube armor provides Telemetry data with context

The speaker demonstrated how Cube armor can be used to restrict access to specific directories and files within a container, and how Telemetry events can provide context for debugging and tracking down malicious intent. They also showed how Cube armor can be used to secure service account tokens and restrict network access down to the process level.

Containers are not protected by default as the various tools for security into place provides perimeter security at the host, or the network and not necessarily the workload itself. LSMs(Linux Security Modules) provide with security hooks necessary to set up least permissive perimeter for various workloads. KubeArmor is a cloud-native runtime security enforcement system that leverages various LSMs to secure your workloads. LSMs are a really powerful system but they come with a high barrier of entry, steep learning curve and do not provide enough metadata for modern cloud native workloads. This talk will be about how KubeArmor leverages LSM superpowers to abstract away the complexities to help protect modern cloud native workloads, how we leverage eBPF to provide context about what's happening in the containers, how various kernel primitives fair with each to protect modern container workloads and what design considerations/challenges for integrating various LSM into KubeArmor.