KubeArmor Support Matrix

KubeArmor supports following types of workloads:

1. K8s orchestrated: Workloads deployed as k8s orchestrated containers. In this case, Kubearmor is deployed as a k8s daemonset. Note, KubeArmor supports policy enforcement on both k8s-pods (KubeArmorPolicy) as well as k8s-nodes (KubeArmorHostPolicy).
2. Containerized: Workloads that are containerized but not k8s orchestrated are supported. KubeArmor installed in systemd mode can be used to protect such workloads.
3. VM/Bare-Metals: Workloads deployed on Virtual Machines or Bare Metal i.e. workloads directly operating as host/system processes. In this case, Kubearmor is deployed in systemd mode.

Kubernetes Support Matrix

Provider	K8s engine	OS Image	Arch	Observability	Audit Rules	Blocking Rules	Network-Segmentation	LSM Enforcer	Remarks
Onprem	kubeadm, k0s, k3s, microk8s	Distros	x86_64, ARM					BPFLSM, AppArmor
Google	GKE	COS	x86_64					BPFLSM, AppArmor	All release channels
Google	GKE	Ubuntu >= 16.04	x86_64					BPFLSM, AppArmor	All release channels
Microsoft	AKS	Ubuntu >= 18.04	x86_64					BPFLSM, AppArmor
Oracle	OKE	UEK >=7	x86_64					BPFLSM	Oracle Linux Server 8.7
IBM	IKS	Ubuntu	x86_64					BPFLSM, AppArmor
Talos	Talos k8s	Talos	x86_64					BPFLSM	1540
AWS	EKS	Amazon Linux 2 (kernel >=5.8)	x86_64					BPFLSM
AWS	EKS	Ubuntu	x86_64					AppArmor
AWS	EKS	Bottlerocket	x86_64					BPFLSM
AWS	EKS-Auto-Mode	Bottlerocket	x86_64					BPFLSM
AWS	Graviton	Ubuntu	ARM					AppArmor
AWS	Graviton	Amazon Linux 2	ARM					SELinux
RedHat	OpenShift	RHEL <=8.4	x86_64					SELinux
RedHat	OpenShift	RHEL >=8.5	x86_64					BPFLSM
RedHat	MicroShift	RHEL >=9.2	x86_64					BPFLSM
Rancher	RKE	SUSE	x86_64					BPFLSM, AppArmor
Rancher	K3S	Distros	x86_64					BPFLSM, AppArmor
Oracle	Ampere	UEK	ARM					SELinux	1084
VMware	Tanzu	TBD	x86_64						1064
Mirantis	MKE	Ubuntu>=20.04	x86_64					AppArmor	1181
Digital Ocean	DOKS	Debian GNU/Linux 11 (bullseye)	x86_64					BPFLSM	1120
Alibaba Cloud	Alibaba	Alibaba Cloud Linux 3.2104 LTS	x86_64					BPFLSM	1650

Supported Linux Distributions

Following distributions are tested for VM/Bare-metal based installations:

Note Full: Supports both enforcement and observability
Partial: Supports only observability

Platform I am interested is not listed here! What can I do?

Please approach the Kubearmor community on slack or raise a GitHub issue to express interest in adding the support.

It would be very much appreciated if you can test kubearmor on a platform not listed above and if you have access to. Once tested you can update this document and raise a PR.