KubeAV is a Kubernetes operator that automates malware detection on Kubernetes. This is potentially useful when you're managing (and serving) untrusted data in your Kubernetes volumes.
Install this operator using Helm:
$ helm repo add mittwald https://helm.mittwald.de
$ helm repo update
$ kubectl create namespace kubeav-system
$ helm install kubeav mittwald/kubeav --namespace kubeav-system
This operator consists of several components:
- The KubeAV operator runs the main controller loop. It watches for
VirusScanandScheduledVirusScanresources created by users (or itself). - The KubeAV updater is a
DaemonSetthat is created by the manager to run on every node. It maintains a local copy of the ClamAV database on each node in your cluster. - The KubeAV agent is run in
Jobresources that are managed by creating aVirusScancustom resource. The agent contains the actual virus scanner which uses the signature database which is maintained by the updater.
┌────────────────┐
creates │ KubeAV updater │
┌───────────────▶│ (DaemonSet) │
│ └────────────────┘
┌──────────┴──────┐
│ KubeAV operator │
└──────────┬──────┘
│ creates ┌───────────────────┐ ┌──────────────┐
┌────────────────────────▶| VirusScan ├──────────────────────────▶│ KubeAV agent │
│ ├───────────────▶| (Custom Resource) │ creates (via operator) │ (Job) │
│ │ watches └───────────────────┘ └──────────────┘
│ │ ▲
│ │ │ creates (via operator)
│ │ │
│ │ creates ┌─────────┴──────────┐
├────────────────────────▶│ ScheduledVirusScan │
│ └───────────────▶│ (Custom Resource) │
│ watches └────────────────────┘
O
/|\ User
/ \
An on-demand scan is modelled using the VirusScan custom resource (API group av.mittwald.de/v1beta1). In the .spec of a virus scan you can specify which files to scan and which engine to use (currently, only ClamAV is supported):
apiVersion: av.mittwald.de/v1beta1
kind: VirusScan
metadata:
name: example-virusscan
spec:
# supported values: ["ClamAV"]
engine: ClamAV
# list of volumes to scan
targets:
# "volume" may be any kind of VolumeSource that you'd also use in
# a PodSpec.
- volume:
persistentVolumeClaim:
claimName: my-pvc
subPath: path/to/subdirA VirusScan resource will be mapped to a Job (of the batch/v1 API group), which will in turn result in a Pod that runs the configured AV engine and that has all the specified volumes mounted.
The results of the AV scan will be written back into the .status property of the VirusScan resource:
$ kubectl get virusscans
NAME SUMMARY SCHEDULED COMPLETED AGE
example-virusscan Completed (1 infected files) 44s 11s 44sThe .status.scanResults property in the CR lists the individual files found by the scanner:
apiVersion: av.mittwald.de/v1beta1
kind: VirusScan
metadata:
name: example-virusscan
spec: # ...
status:
conditions:
Completed:
type: Completed
status: "True"
Positive:
type: Positive
status: "True"
scanResults:
# filePath:
# path to the infected file
# matchingSignature:
# name of the detected signature as reported by the AV engine.
- filePath: /scan/scan-target-0/infected-file
matchingSignature: Eicar-SignaturePeriodic scanning can be configured using the ScheduledVirusScan resource.
apiVersion: av.mittwald.de/v1beta1
kind: ScheduledVirusScan
metadata:
name: example-scheduledvirusscan
spec:
# this is a standard cron schedule
schedule: "0 */3 * * *"
# how many "VirusScan" resources that were created from this
# schedule should be kept.
historySize: 3
# template for a "VirusScan" resource
template:
spec:
engine: ClamAV
targets:
- volume:
hostPath:
path: /
subPath: root/virusFor these resources, KubeAV will create new VirusScan resources from the configured template at the specified interval.
- Alerting (maybe by adding a metric for counting infected files? Or by directly integrating something like the Prometheus alert manager)
- On-Access Scanning (Todo: determine feasibility in containerized environment)