LSMs provide kernel-level security mechanisms that can be used to address the dynamic challenges of cloud native security. KubeArmor, a runtime security engine and CNCF sandbox project uses LSMs to protect cloud workloads at runtime.

As a maintainer of KubeArmor, I will share my understanding working with LSMs to implement a robust runtime security engine to protect cloud workloads through the lens of KubeArmor.

While all LSMs provide crucial security benefits, their effectiveness varies significantly based on use-case, deployment context and operational requirements.

In this session, I'll be evaluating LSMs including SELinux, Apparmor and BPF-LSM across three critical dimensions:
Performance impact: The overhead each LSMs introduce.
Security capabilities: Each LSM's effectiveness against common attack vectors through live demonstrations.
Operational complexity: Highlighting the learning curve, complexities in implementation and maintenance.