Merge pull request #1407 from nyrahul/main

docs: added CLOMonitor badge
kubearmor · Sep 16, 2023 · f28ac80 · f28ac80
2 parents 05dc476 + 5b26f2d
commit f28ac80
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 
 [![Build Status](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-go.yml/badge.svg)](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-go.yml/)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5401/badge)](https://bestpractices.coreinfrastructure.org/projects/5401)
+[![CLOMonitor](https://img.shields.io/endpoint?url=https://clomonitor.io/api/projects/cncf/kubearmor/badge)](https://clomonitor.io/projects/cncf/kubearmor)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kubearmor/kubearmor/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/kubearmor)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor.svg?type=shield&issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)

diff --git a/getting-started/FAQ.md b/getting-started/FAQ.md
@@ -256,3 +256,35 @@ One can enable the host policy by patching the daemonset (`kubectl edit daemonse
 This will enable the `KubeArmorHostPolicy` and host based visibility for the k8s worker nodes.
 
 </details>
+
+<details><summary><h4>Unable to get KubeArmor policy enforcement with Kind clusters</h4></summary>
+
+KubeArmor works out of the box with Kind clusters supporting BPF-LSM. However, with AppArmor only mode, Kind cluster needs additional provisional steps. You can check if BPF-LSM is supported/enabled on your host (on which the kind cluster is to be deployed) by using following:
+```
+cat /sys/kernel/security/lsm
+```
+* If it has `bpf` in the list, then everything should work out of the box
+* If it has `apparmor` in the list, then follow the steps mentioned in this FAQ.
+
+## 1. Create Kind cluster
+```sh
+cat <<EOF | kind create cluster --config -
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+- extraMounts:
+  - hostPath: /sys/kernel/security
+    containerPath: /sys/kernel/security
+EOF
+```
+
+## 2. Exec into kind node & install apparmor util
+```sh
+docker exec -it kind-control-plane bash
+apt update && apt install apparmor-utils -y && systemctl restart containerd
+```
+
+After this, exit out of the node shell and follow the [getting-started guide](https://github.com/kubearmor/KubeArmor/blob/main/getting-started/deployment_guide.md).
+
+</details>
+
diff --git a/getting-started/deployment_guide.md b/getting-started/deployment_guide.md
@@ -69,7 +69,7 @@ EOF
 
 Now execute the `apt` command to download the `masscan` tool.
 ```
-kubectl exec -it $POD -- sh -c "apt update && apt install masscan"
+kubectl exec -it $POD -- bash -c "apt update && apt install masscan"
 ```
 
 It will be denied permission to execute.