# KubeArmor
**Repository Path**: mirrors/KubeArmor
## Basic Information
- **Project Name**: KubeArmor
- **Description**: Cloud-native Runtime Security Enforcement System
- **Primary Language**: Go
- **License**: Apache-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 5
- **Forks**: 0
- **Created**: 2022-07-25
- **Last Updated**: 2026-02-21
## Categories & Tags
**Categories**: cloud-native
**Tags**: None
## README
[](https://github.com/kubearmor/KubeArmor/actions/workflows/ci-test-ginkgo.yml/)
[](https://bestpractices.coreinfrastructure.org/projects/5401)
[](https://clomonitor.io/projects/cncf/kubearmor)
[](https://securityscorecards.dev/viewer/?uri=github.com/kubearmor/KubeArmor)
[](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)
[](https://app.fossa.com/projects/git%2Bgithub.com%2Fkubearmor%2FKubeArmor?ref=badge_shield)
[](https://cloud-native.slack.com/archives/C02R319HVL3)
[](https://github.com/kubearmor/KubeArmor/discussions)
[](https://hub.docker.com/r/kubearmor/kubearmor)
[](https://artifacthub.io/packages/search?kind=19)
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \(such as process execution, file access, and networking operations\) of pods, containers, and nodes (VMs) at the system level.
KubeArmor leverages [Linux security modules \(LSMs\)](https://en.wikipedia.org/wiki/Linux_Security_Modules) such as [AppArmor](https://en.wikipedia.org/wiki/AppArmor), [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux), or [BPF-LSM](https://docs.kernel.org/bpf/prog_lsm.html) to enforce the user-specified policies. KubeArmor generates rich alerts/telemetry events with container/pod/namespace identities by leveraging eBPF.
| | |
|:---|:---|
| :muscle: **[Harden Infrastructure](getting-started/hardening_guide.md)**
:chains: Protect critical paths such as cert bundles
:clipboard: MITRE, STIGs, CIS based rules
:left_luggage: Restrict access to raw DB table | :ring: **[Least Permissive Access](getting-started/least_permissive_access.md)**
:traffic_light: Process Whitelisting
:traffic_light: Network Whitelisting
:control_knobs: Control access to sensitive assets |
| :telescope: **[Application Behavior](getting-started/workload_visibility.md)**
:dna: Process execs, File System accesses
:compass: Service binds, Ingress, Egress connections
:microscope: Sensitive system call profiling | :snowflake: **[Deployment Models](getting-started/deployment_models.md)**
:wheel_of_dharma: Kubernetes Deployment
:whale2: Containerized Deployment
:computer: VM/Bare-Metal Deployment |
## Architecture Overview
## Documentation :notebook:
* :point_right: [Getting Started](getting-started/deployment_guide.md)
* :dart: [Use Cases](getting-started/use-cases/hardening.md)
* :heavy_check_mark: [KubeArmor Support Matrix](getting-started/support_matrix.md)
* :chess_pawn: [How is KubeArmor different?](getting-started/differentiation.md)
* :scroll: Security Policy for Pods/Containers [[Spec](getting-started/security_policy_specification.md)] [[Examples](getting-started/security_policy_examples.md)]
* :scroll: Cluster level security Policy for Pods/Containers [[Spec](getting-started/cluster_security_policy_specification.md)] [[Examples](getting-started/cluster_security_policy_examples.md)]
* :scroll: Security Policy for Hosts/Nodes [[Spec](getting-started/host_security_policy_specification.md)] [[Examples](getting-started/host_security_policy_examples.md)]
... [detailed documentation](https://docs.kubearmor.io/kubearmor/)
### Contributors :busts_in_silhouette:
* :blue_book: [Contribution Guide](contribution/contribution_guide.md)
* :technologist: [Development Guide](contribution/development_guide.md), [Testing Guide](contribution/testing_guide.md)
* :raised_hand: [Join KubeArmor Slack](https://cloud-native.slack.com/archives/C02R319HVL3)
* :question: [FAQs](getting-started/FAQ.md)
### Biweekly Meeting
- :speaking_head: [Zoom Link](http://zoom.kubearmor.io)
- :page_facing_up: Minutes: [Document](https://docs.google.com/document/d/1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs/edit)
- :calendar: Calendar invite: [Google Calendar](http://www.google.com/calendar/event?action=TEMPLATE&dates=20220210T150000Z%2F20220210T153000Z&text=KubeArmor%20Community%20Call&location=&details=%3Ca%20href%3D%22https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1IqIIG9Vz-PYpbUwrH0u99KYEM1mtnYe6BHrson4NqEs%2Fedit%22%3EMinutes%20of%20Meeting%3C%2Fa%3E%0A%0A%3Ca%20href%3D%22%20http%3A%2F%2Fzoom.kubearmor.io%22%3EZoom%20Link%3C%2Fa%3E&recur=RRULE:FREQ=WEEKLY;INTERVAL=2;BYDAY=TH&ctz=Asia/Calcutta), [ICS file](getting-started/resources/KubeArmorMeetup.ics)
## Notice/Credits :handshake:
- KubeArmor uses [Tracee](https://github.com/aquasecurity/tracee/)'s system call utility functions.
## CNCF
KubeArmor is [Sandbox Project](https://www.cncf.io/projects/kubearmor/) of the Cloud Native Computing Foundation.
## ROADMAP
KubeArmor roadmap is tracked via [KubeArmor Projects](https://github.com/orgs/kubearmor/projects?query=is%3Aopen)