Cheithanya PR
LFX Mentorship Experience - Kubearmor-Podman support

LFX Mentorship Experience - Kubearmor-Podman support

Cheithanya Pr's photo
Cheithanya Pr
·

5 min read

Getting accepted:)

As part of the Linux Foundation Mentorship Program I had a privilege of serving CNCF KubeArmor project this 2024 term 3. I took a minute to process the importance of this opportunity: working with some amazing mentors and contributing to a project at the forefront of runtime security.
KubeArmor is an open-source runtime security enforcement system designed for cloud-native environments.

Acknowledgement

I would like to express my sincere thanks to Barun Acharya, Rudraksh Pareek, and Abdulrahman Elawady for their exceptional mentorship.Their support, from clarifying concepts to troubleshooting technical issues, was instrumental in my success. They created a nurturing environment throughout the mentorship program.

Project

The LFX project link
https://mentorship.lfx.linuxfoundation.org/project/c693a6b1-d034-4140-8aba-dfe02fbef48a

The Mentorship Task

The core objective of my mentorship was to:

  • Leverage OCI hooks to capture container start/stop events and retrieve metadata for KubeArmor, replacing UNIX domain sockets.

  • Enable Podman support for both rootful and rootless environments.

  • Ensure the solution is runtime-agnostic, extending support for future runtimes.

Problem Statement

Traditionally, KubeArmor relies on container runtime UNIX domain sockets to gather container events and metadata from runtimes like Docker, Containerd and CRI-O. While effective, this approach comes with limitations:

  1. Security Risks: Exposing container runtime UNIX sockets can introduce vulnerabilities. Container daemon socket bind mounts allows access to the container engine on the node. This access can be used for privilege escalation and to manage containers outside of Kubernetes, and hence should not be allowed.
    In brief it gives full control on container management. It means you can abruptly create or delete containers.

To address these challenges, the project leverages OCI hooks—a flexible and standardized way to interact with containers at various lifecycle stages. OCI hooks can be used to get events like container runtime created, container created, container stopped etc for all containers managed by runtime. By adopting OCI hooks, KubeArmor can replace the container runtime UNIX domain socket mechanism.

Podman supports OCI Hooks

Leveraging OCI hooks to obtain podman container start/stop events and container details for KubeArmor and use to it secure the workloads running on it.

The Journey

Week 1: Laying the Foundation

The mentorship began with a kick-off meeting where my mentors outlined the project scope, expectations and we had to set the deliverables. The first task was to understand OCI hooks—how they work, when they trigger, and how they can be integrated with Podman.

The learning curve was steep. From studying Podman’s daemonless architecture to experimenting with OCI hook configurations.

Solution

We use hooks on the container start and stop event to update the Kubearmor state on the containers that are getting monitored.

Using OCI hooks we do not have access to the containers that are created before the hook setup and hence information on pre-existing containers is lost, For that we use something of hook exec model to get it. Here we configured the hook to trigger on the create/delete of the container.

The ability to decide when to exec in order to use the Podman go bindings and get the pre-existing containers is made when the Kubearmor starts as a podman container and can be more understood by the architecture design below.

Overall during the mentorship period
1. I documented the Architecture design of the OCI hook design process for the unorchestrated podman containers.

2. Enhanced the Hook handler functionality of Kubearmor if in future any container engine supports OCI hook.

3. Rootless podman and rootfull podman monitoring with Kubearmor.

4. Document the limitation of OCI hooks to automate the task applying Apparmor profiles on container start.

Here is how Podman-hook and Kubearmor works together and the PR to the solution

State after configuring the OCI hook and running Kubearmor-init but before the Kubearmor container launches

After configuring the OCI Hook and running Kubearmor-init

State after the Kubearmor container has successfully ran with the Kubearmor socket (Ka.sock) ready to take requests from the hook.

After Running Kubearmor container with the kubearmor socket ready to accept the request from the hook

Concluding

It’s incredible how quickly 12 weeks flew by. It feels like just yesterday I was diving into the complexities of the project, and now, here I am, reflecting on an unforgettable journey. I didn’t want this program to end, but as they say, all good things must come to an end. I’m thrilled to share that I have successfully graduated from the LFX Mentorship Program 2024(Term 3)!

I would like to express my heartfelt gratitude to Barun Acharya, Rudraksh Pareek, and Abdulrahman Elawady for their unwavering support and mentorship throughout this journey.

This program was more than just a learning experience—it was a transformative journey that pushed me to explore new horizons, refine my skills, and collaborate with some of the most talented individuals in the field. It wasn’t always smooth sailing, there were moments of self-doubt and challenges to overcome, but with the guidance of my mentors and the support of the community, I grew both personally and professionally.

Graduating from this program isn’t just about completing tasks or achieving milestones, it’s about embracing a mindset of continuous learning and collaboration. I walk away from this experience with confidence, a deeper understanding of open-source contributions, and a profound appreciation for the mentors and peers who were part of this journey.

To anyone considering applying for the LFX Mentorship Program: go for it! It’s a life-changing opportunity to learn, contribute, and grow. As I conclude this chapter, I’m filled with gratitude and excitement for what lies ahead in the open-source ecosystem.

Here’s to new beginnings and continued contributions to the CNCF community!

Key Takeaways

"It's not just about solving the problem, it's about designing solutions that are future proof and impactful."

  • Stay Curious
    Understanding the problem statement deeply before diving into solutions.

  • Communication is Key
    Regular updates and discussions with mentors ensured alignment and clarity.

  • Iterate and Improve
    Debugging isn’t just fixing—it’s learning, experimenting, and refining solutions.

  • Collaboration Over Competition
    The mentorship was as much about learning from peers and the community as it was about delivering results.

Did you find this article valuable?

Support Cheithanya PR by becoming a sponsor. Any amount is appreciated!

CNCFLFX Mentorshipkubearmorpodman