v1.6.0 Release Blog
We are excited to announce the release of KubeArmor v1.6, packed with powerful new features, significant enhancements, and critical bug fixes that make workload protection and observability even more robust for cloud-native environments.
This release reflects major advancements in policy enforcement, system monitoring, and ecosystem integrations while addressing important stability and performance improvements.
-
Introduced argument-based matching for processes in policies.
-
Allows precise control over command-line arguments, enabling granular process enforcement.
-
This feature is currently limited to BPFLSM.
-
Example policy:
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: name: allow-steampipe-args spec: selector: matchLabels: app: steampipe process: matchPaths: - path: /usr/bin/python3.6 allowedArgs: - -m - modules.steampipe_aws action: Block
- Added DNS query tracing on UDP to provide insights into domain lookups from workloads.
- Helps detect malicious behaviors like DGA (Domain Generation Algorithms) or unauthorized C2 communications.
-
ProtectProc: Blocks unauthorized access to the
/procdirectory by non-owner processes. -
ProtectEnv: Prevents unauthorized access to sensitive environment variables in
/proc/[pid]/environ. -
ExecPreset: Enforces restrictions on external process executions (e.g., via
kubectl exec).
-
OCI Hooks Support:
- Added support for containerd and CRI-O hooks, eliminating the need for exposing runtime UNIX sockets for container events.
- Added TTY information in BPF-LSM generated telemetry.
- Enhanced telemetry with network metadata using Kubernetes informers.
- Extended alert resources to include full command arguments.
- OpenSearch Support: Added OpenSearch as a datasource for process graphs in Grafana dashboards.
- Integrated image vulnerability scanning workflows (via Trivy) in release pipelines.
- Resolved memory leaks in AppArmor DaemonSet (observed in AKS clusters).
- Fixed policy deletion logic for recommended policies in the operator.
- Addressed KubeArmorClusterPolicy enforcement issue for pods created post-policy application.
- Fixed panic errors with uninitialized Docker daemons.
- Resolved tolerations propagation issues in Helm chart deployments.
- Improved filtering logic in
karmor profilecommands to respect namespace, pod, and container filters. - Fixed PID/HostPID and PPID/HostPPID display anomalies (e-notation issues).
- Helm charts updated to handle tolerations properly.
- Introduced conditional deployment of pod refresh controllers.
- Updated CI pipelines to use Ubuntu 22.04 runners and separated network tests for newer kernels.
- Deprecated legacy Config Watcher in favor of karmor.yaml configuration.
-
Preset API Specification Updated:
-
Action is now defined per-preset level:
presets: - name: protectEnv action: Block
-
-
Configuration changes via
karmor.yamlwill eventually replace existing ConfigMap fields.
- Revised hardening policies and presets documentation.
- Updated multi-OS deployment instructions and CLI long descriptions.
- Added ModelArmor use-cases and a better getting started guide
- Users are advised to review preset configurations and update CRDs accordingly.
- When upgrading from v1.5, ensure Helm charts are updated to leverage new toleration handling and configuration management features.
This release wouldnβt have been possible without the incredible contributions from the community. Special thanks to all contributors for feature development, bug fixes, and reviews. π
- π KubeArmor Documentation
- π οΈ GitHub Repository
- π Changelog
