MCPcopy
hub / github.com/kubearmor/KubeArmor

github.com/kubearmor/KubeArmor @v1.7.4 sqlite

repository ↗ · DeepWiki ↗ · release v1.7.4 ↗
2,330 symbols 5,746 edges 234 files 1,334 documented · 57%
README

Build Status CII Best Practices CLOMonitor OpenSSF Scorecard FOSSA Status FOSSA Status Slack Discussions Docker Downloads ArtifactHub

KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) at the system level.

KubeArmor leverages Linux security modules (LSMs) such as AppArmor, SELinux, or BPF-LSM to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.

:muscle: Harden Infrastructure
:chains: Protect critical paths such as cert bundles

:clipboard: MITRE, STIGs, CIS based rules

:left_luggage: Restrict access to raw DB table | :ring: Least Permissive Access


:traffic_light: Process Whitelisting

:traffic_light: Network Whitelisting

:control_knobs: Control access to sensitive assets | | :telescope: Application Behavior


:dna: Process execs, File System accesses

:compass: Service binds, Ingress, Egress connections

:microscope: Sensitive system call profiling | :snowflake: Deployment Models


:wheel_of_dharma: Kubernetes Deployment

:whale2: Containerized Deployment

:computer: VM/Bare-Metal Deployment |

Architecture Overview

KubeArmor High Level Design

Documentation :notebook:

... detailed documentation

Contributors :busts_in_silhouette:

Biweekly Meeting

Community & Governance

KubeArmor is a community-governed project. The following documents describe how the project is run:

Notice/Credits :handshake:

  • KubeArmor uses Tracee's system call utility functions.

CNCF

KubeArmor is Sandbox Project of the Cloud Native Computing Foundation. CNCF SandBox Project

ROADMAP

KubeArmor roadmap is tracked via KubeArmor Projects

Related Repositories

KubeArmor is more than a single repository. The following repositories under the kubearmor GitHub organization are part of the wider project. Each is governed under GOVERNANCE.md — see the Subprojects section there for how core and community subprojects are classified.

Note: This list covers actively maintained repositories. For the complete (including archived) list, see the organization page.

Core

Repository What it is
KubeArmor The main runtime security enforcement daemon. This repository.
kubearmor-client karmor, the official command-line tool for installing, configuring, and observing KubeArmor.
charts Official Helm charts for KubeArmor and the KubeArmor Operator.
policy-templates Community-curated library of System and Network policy templates for KubeArmor (and Cilium).
kubearmor.io Source for the kubearmor.io website.
.project Project metadata for CNCF .project automation (CLOMonitor, landscape, etc.).

Integrations and adapters

Repository What it is
otel-adapter OpenTelemetry receiver for KubeArmor events and alerts.
kubearmor-prometheus-exporter Prometheus exporter for KubeArmor metrics.
kubearmor-relay-server Relay/log streaming server that aggregates events from KubeArmor agents.
kubearmor-kafka-client Kafka client for streaming KubeArmor logs to a Kafka cluster.
kubearmor-log-client Standalone log client (stdout or file) for consuming KubeArmor logs.
grafana-datasource Grafana data source backend for visualising KubeArmor data.
kubearmor-dashboards ELK-stack dashboards for KubeArmor logs and alerts.
kubearmor-action GitHub Action that runs KubeArmor against a workload for CI security checks.
rancherui Rancher Manager UI extension for managing KubeArmor through Rancher.
sidekick Glue to connect KubeArmor events into downstream ecosystems.

Deployment and packaging

Repository What it is
custom-packages Custom .deb / .rpm packaging definitions.
packer-plugin-kubearmor HashiCorp Packer plugin for baking KubeArmor into images.

Specialised projects

Repository What it is
k8tls (Pronounced cattles) — assesses server port security by detecting TLS and certificate configuration.
modelarmor ML model security, including pickle-injection PoC and adversarial-attack demos.
kvm-service Service for orchestrating KubeArmor policies to VMs and bare-metal hosts via either a Kubernetes or non-Kubernetes control plane.
libbpf Go eBPF helper library based on the upstream libbpf API.
kbc KubeArmor Benchmark Calculator.

This list is generated iteratively — open a pull request to add a new repository or correct a description.

Extension points exported contracts — how you extend this code

KubeArmorNetworkPolicyLister (Interface)
KubeArmorNetworkPolicyLister helps list KubeArmorNetworkPolicies. All objects returned here must be treated as read-only [15 …
pkg/KubeArmorController/client/listers/security.kubearmor.com/v1/kubearmornetworkpolicy.go
KubeArmorConfigNamespaceLister (Interface)
KubeArmorConfigNamespaceLister helps list and get KubeArmorConfigs. All objects returned here must be treated as read-on [15 …
pkg/KubeArmorOperator/client/listers/operator.kubearmor.com/v1/kubearmorconfig.go
PresetInterface (Interface)
PresetInterface interface [5 implementers]
KubeArmor/presets/base/basePreset.go
CertLoader (Interface)
(no doc) [3 implementers]
KubeArmor/cert/certloader.go
KubeArmorHostPolicyEventCallback (FuncType)
=============== // == KVM Agent == // =============== // KubeArmorHostPolicyEventCallback Function
KubeArmor/types/types.go
FeederInterface (Interface)
============ // == Feeder == // ============ //
KubeArmor/feeder/feeder.go
ConditionFunc (FuncType)
ConditionFunc functions that fulfills the condition handling
tests/util/kartutil.go
KubeArmorHostPolicyLister (Interface)
KubeArmorHostPolicyLister helps list KubeArmorHostPolicies. All objects returned here must be treated as read-only. [15 …
pkg/KubeArmorController/client/listers/security.kubearmor.com/v1/kubearmorhostpolicy.go

Core symbols most depended-on inside this repo

Warnf
called by 376
KubeArmor/feeder/feeder.go
Printf
called by 209
KubeArmor/feeder/feeder.go
Errf
called by 181
KubeArmor/feeder/feeder.go
AssertCommand
called by 177
tests/util/kartutil.go
KarmorLogStart
called by 148
tests/util/karmorlog.go
KarmorGetTargetAlert
called by 130
tests/util/karmorlog.go
Err
called by 100
KubeArmor/feeder/feeder.go
Print
called by 82
KubeArmor/feeder/feeder.go

Shape

Method 1,115
Function 603
Struct 520
Interface 67
TypeAlias 17
FuncType 8

Languages

Go100%

Modules by API surface

protobuf/kubearmor.pb.go146 symbols
pkg/KubeArmorController/api/security.kubearmor.com/v1/zz_generated.deepcopy.go116 symbols
KubeArmor/types/types.go66 symbols
protobuf/policy.pb.go60 symbols
KubeArmor/feeder/feeder.go43 symbols
pkg/KubeArmorController/api/security.kubearmor.com/v1/common.go42 symbols
tests/util/kartutil.go39 symbols
protobuf/policy_grpc.pb.go38 symbols
KubeArmor/common/common.go38 symbols
pkg/KubeArmorOperator/internal/controller/cluster.go37 symbols
KubeArmor/core/kubeUpdate.go37 symbols
KubeArmor/monitor/syscallParser.go30 symbols

Dependencies from manifests, versioned

cel.dev/exprv0.25.2 · 1×
cyphar.com/go-pathrsv0.2.4 · 1×
dario.cat/mergov1.0.2 · 1×
github.com/Azure/go-ansitermv0.0.0-2025010203350 · 1×
github.com/Masterminds/goutilsv1.1.1 · 1×
github.com/Masterminds/semver/v3v3.5.0 · 1×
github.com/Masterminds/sprig/v3v3.3.0 · 1×
github.com/Microsoft/go-winiov0.6.3-0.20251027160 · 1×
github.com/Microsoft/hcsshimv0.15.0-rc.1 · 1×
github.com/VividCortex/ewmav1.2.0 · 1×
github.com/acarl005/stripansiv0.0.0-2018011610285 · 1×

Datastores touched

(mongodb)Database · 1 repos
(mysql)Database · 1 repos

For agents

$ claude mcp add KubeArmor \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact