Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubearmor blocking network operation after applying autodiscovered (process and file)policies. #627

Open
salman-accuknox opened this issue Dec 9, 2022 · 1 comment
Open

kubearmor blocking network operation after applying autodiscovered (process and file)policies. #627

salman-accuknox opened this issue Dec 9, 2022 · 1 comment

Comments

@salman-accuknox
Copy link

Issue Report

General Information

  • Environment: AKS
  • Orchestration system version in use (e.g. kubectl version, ...)
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5", GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:58:47Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.12", GitCommit:"f941a31f4515c5ac03f5fc7ccf9a330e3510b80d", GitTreeState:"clean", BuildDate:"2022-11-09T17:12:33Z", GoVersion:"go1.17.13", Compiler:"gc", Platform:"linux/amd64"}
  • Target : pods

To Reproduce

  1. Deploy MySQL

Deploying MySQL on Kubernetes

➜  ~ k get po -n mysql-ad --show-labels
NAME                     READY   STATUS    RESTARTS   AGE     LABELS
mysql-6d86c78b54-8nwkz   1/1     Running   0          2d17h   app=mysql,pod-template-hash=6d86c78b54
➜  ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 5.6.51 MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>
  1. Perform some operations on MySQL

How to Create Tables and Insert Data into SQL Databases

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ad_test            |
| mysql              |
| performance_schema |
| recipes_database   |
+--------------------+
5 rows in set (0.00 sec)

mysql> use recipes_database;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+----------------------------+
| Tables_in_recipes_database |
+----------------------------+
| ingredients                |
| recipe_ingredients         |
| recipes                    |
+----------------------------+
3 rows in set (0.00 sec)

mysql> select * from ingredients;
+---------------+-----------------+------------------+
| ingredient_id | ingredient_name | ingredient_price |
+---------------+-----------------+------------------+
|             1 | Beef            |                5 |
|             2 | Lettuce         |                1 |
|             3 | Tomatoes        |                2 |
|             4 | Taco Shell      |                2 |
|             5 | Cheese          |                3 |
|             6 | Milk            |                1 |
|             7 | Bread           |                2 |
+---------------+-----------------+------------------+
7 rows in set (0.00 sec)

mysql> exit
Bye
root@mysql-6d86c78b54-8nwkz:/#
  1. Discover kubearmor policies
karmor discover -f yaml -n mysql-ad > ad-kubearmorpolicy.yaml


apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: autopol-system-1928276615
  namespace: mysql-ad
spec:
  action: Allow
  file:
    matchDirectories:
    - dir: /etc/
      recursive: true
    - dir: /lib/x86_64-linux-gnu/
      recursive: true
    matchPaths:
    - path: /dev/tty
    - path: /lib/terminfo/x/xterm
    - path: /pts/ptmx
    - path: /root/.bash_history
    - path: /root/.bashrc
    - fromSource:
      - path: /usr/bin/mysql
      path: /root/.mysql_history.TMP
    - fromSource:
      - path: /usr/bin/mysql
      path: /root/.mysql_history
    - fromSource:
      - path: /usr/bin/mysql
      path: /usr/lib/x86_64-linux-gnu/libstdc++.so.6
    - fromSource:
      - path: /usr/bin/mysql
      path: /usr/share/mysql/charsets/Index.xml
  process:
    matchPaths:
    - path: /bin/bash
    - fromSource:
      - path: /bin/bash
      path: /usr/bin/mysql
  selector:
    matchLabels:
      app: mysql
  severity: 1
---
  1. Apply policy
k apply -f ad-kubearmorpolicy.yaml

➜  mysql k get ksp,hsp -A
NAMESPACE         NAME                                                               AGE
mysql-ad          kubearmorpolicy.security.kubearmor.com/autopol-system-1928276615   59m
  1. Change DefaultPosture to block.
kubectl annotate ns mysql-ad kubearmor-file-posture=block --overwrite=true
  1. Repeating the operations performed in step 2
➜  ~ k exec -it mysql-6d86c78b54-8nwkz -n mysql-ad bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@mysql-6d86c78b54-8nwkz:/# mysql -p
Enter password:
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)
root@mysql-6d86c78b54-8nwkz:/#

Logs

➜  ~ karmor log --namespace mysql-ad
local port to be used for port forwarding kubearmor-relay-5656cc5bf7-nb6b4: 32767
Created a gRPC client (localhost:32767)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2022-12-09 03:10:32.328526 ==
ClusterName: default
HostName: aks-agentpool-31698863-vmss000000
NamespaceName: mysql-ad
PodName: mysql-6d86c78b54-8nwkz
Labels: app=mysql
ContainerName: mysql
ContainerID: 7f6392c0b8b6a2a2734dc4feb85474bd4f27d607e957a8f4bd1ba9d686411a5c
ContainerImage: docker.io/library/mysql:5.6@sha256:20575ecebe6216036d25dab5903808211f1e9ba63dc7825ac20cb975e34cfcae
Type: MatchedPolicy
PolicyName: DefaultPosture
Source: /usr/bin/mysql -p
Resource: sa_family=AF_UNIX sun_path=/var/run/mysqld/mysqld.sock
Operation: Network
Action: Block
Data: syscall=SYS_CONNECT fd=3
Enforcer: AppArmor
Result: Permission denied
HostPID: 835717
HostPPID: 754895
PID: 287
PPID: 276
ParentProcessName: /bin/bash
ProcessName: /usr/bin/mysql
Stopped WatchAlerts

Expected behavior

After applying the auto-discovered policies, it shouldn't break the application

karmor sysdump
@salman-accuknox
Copy link
Author

cc: @nyrahul @seswarrajan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@salman-accuknox