-
Notifications
You must be signed in to change notification settings - Fork 349
HostPath Mounts Used by KubeArmor
Rishabh Soni edited this page Oct 30, 2024
·
3 revisions
KubeArmor enhances security by monitoring and enforcing security policies at the kernel level. This requires access to various parts of the host file system. This document details the hostPath
mounts used by KubeArmor.
-
Name:
sys-kernel-debug-path
-
Path:
/sys/kernel/debug
-
Type:
Directory
- Purpose: Provides access to the kernel's debug file system, essential for KubeArmor to use tracepoints for monitoring system calls and other kernel-level events.
2. Container runtime sockets (read-only) : needed for interacting with container runtimes, would be removed soon as we adopt OCI hooks
Type: Socket
The following path is mounted only when we are using apparmor as enforcer:
-
Name:
etc-apparmor-d-path
-
Path:
/etc/apparmor.d
-
Type:
Directory
- Purpose: Used to access apparmor profiles.
The following paths are mounted only when BTF (BPF Type Format) is not present on the system and an init container is required:
-
Name:
lib-modules-path
-
Path:
/lib/modules
-
Type:
Directory
- Purpose: Required to access kernel headers.
-
Name:
usr-src-path
-
Path:
/usr/src
-
Type:
Directory
- Purpose: Required to access kernel headers.
-
Name:
os-release-path
-
Path:
/etc/os-release
-
Type:
File
- Purpose: Provides information about operating system.
-
Name:
apparmor-path
-
Path:
/etc/apparmor.d/
-
Type:
Directory
- Purpose: Provides information about the Apparmor filesystem.
-
Name:
sys-path
-
Path:
/sys/
-
Type:
Directory
- Purpose: Provides information about the security filesystems and enforcer.
-
Name:
var-path
-
Path:
/var/
-
Type:
Directory
- Purpose: Provides information about container runtime.
-
Name:
run-path
-
Path:
/run/
-
Type:
Directory
- Purpose: Provides information about container runtime.
-
Name:
seccomp-path
-
Path:
/var/lib/kubelet/seccomp
-
Type:
DirectoryOrCreate
- Purpose: Provides information about the seccomp profiles present on the system. Required only when securing KubeArmor with seccomp.