Koney 0.2.0

Koney is a Kubernetes operator that enables you to define so-called deception policies for your cluster.

Find the documentation in the 📄 README file.

📝 Changelog

Highlights

📦 Distribute Koney as a Helm chart (#39) with an OCI-based registry (#40)

Koney 0.2.0+ is distributed as a Helm chart and published as an OCI artifact in the GitHub Container Registry. This allows for easier installation and management of Koney in Kubernetes clusters. It is the recommended way to install Koney. Consult the 📄 README file for further details.

helm install koney --create-namespace -n koney-system --wait oci://ghcr.io/dynatrace-oss/koney/charts/koney --version 0.2.0

🚀 Add DeceptionAlertSink resources

Koney 0.2.0+ supports sending alerts to external systems. Initially, Koney can export alerts as Dynatrace security events. Please refer to the 📄 ALERT_SINKS document to learn more.

🚀 Add Kive captor strategy as an alternative to Tetragon (#28) — thanks @San7o

Koney 0.2.0+ supports using Kive — contributed by Giovanni Santini (@San7o) — as a captor strategy for deception policies. Kive is a lightweight, open-source, eBPF-powered Kubernetes operator for monitoring file accesses in Kubernetes clusters. It can be used as an alternative to Tetragon. Unlike Tetragon, Kive monitors inode numbers, which allows more robust detection (e.g., of symbolic links or bind mounts) than Tetragon OSS. Early tests also showed that Kive has a lower performance overhead than Tetragon as it only monitors explicitly defined file paths. Please refer to both the 📄 Koney README and the official 📄 Kive documentation for further details and limitations.

⚠️ Kive is currently in early preview and was tested with Linux Kernel >= 5.10 and containerd as the container runtime. To use Kive as a captor strategy, you need to set up Kive in your cluster and configure your deception policies to use the kive captor strategy. Due to #49, installation currently requires a manual adaptation of the Kive installation manifest.

kubectl apply -f https://raw.githubusercontent.com/San7o/kivebpf/refs/heads/main/dist/install-remote.yaml
kubectl set image -n kivebpf-system daemonset kivebpf-manager "*=ghcr.io/san7o/kivebpf:dev"

Then, set captorDeployment.strategy to kive in your deception policies.

captorDeployment:
  strategy: kive

🚀 containerSelector now supports regex, glob, or plain patterns — thanks @San7o

Koney 0.2.0+ supports three different modes for matching container names in containerSelector fields of deception policies:

• regex: — the value is interpreted as a regular expression, matched against the container name. For example, regex:app matches any container whose name contains app, while regex:^app$ matches only a container named exactly app.
• glob: — the value is interpreted as a glob pattern, matched against the full container name. For example, glob:*app* matches any container whose name contains app, while glob:app matches only a container named exactly app.
• plain pattern — the value is compared for exact match with the container name. For example, app matches only a container named exactly app.

External contributors

We thank the following external contributors for their contributions to this release:

• 👏 Giovanni Santini (@San7o) — Kive integration
• 👏 Patrick Pichler (@patrickpichler) — local build platform
• 👏 Florian Schickhofer (@FloSchick) — ARM64 targets

More changes

• ⚙️ Support none captor deployment strategy (03231b5)
• ⚙️ Add field process.uid to alerts (c48a70e)
• ⚙️ Normalize reported pod.container.id to not include scheme (4c097a2)
• ⚙️ Support deployment to namespaces other than koney-system (e89cb9a)
• 🐛 Add Helm clean-up hooks to avoid zombie policy objects when Koney is removed (#47)
• 🐛 Fix incorrect indentation in config samples (bd8cbff)
• 🐛 Do not fail when trying to remove non-existent honeytokens (#20)
• 🐛 Improve error handling in alert forwarder (#51)
• 📄 Add slides, talks, and references on writing traps (285c1e4)
• 📄 Add deceptionpolicy-aws-credentials.yaml as a realistic sample policy (17312c6)
• 📄 Add guide on uninstalling Koney (aef8d36)
• 📄 Add missing node.name in alerts to documentation (2a66b85)
• 📄 Add missing IMAGE_TAG_BASE argument in developer guide (#14)
• 📦 Pin container base images (#9)
• 📦 Upgrade operator-sdk to v1.41.0 (#38)
• 📦 Add GitHub actions for testing, linting, and building Koney (#38)
• 📦 Use local build platform for faster cross-compile (#32) — thanks @patrickpichler
• 📦 Add ARM64 build targets for Apple Silicon (#5) — thanks @FloSchick
• 📦 Build controller with Go 1.26 (8a108f0)
• 📦 Build alert forwarder with Python 3.14 (51d9f79)

⬆️ Upgrading from Koney 0.1.0 to Koney 0.2.0

Starting with Koney 0.2.0+ we recommend installing Koney as a Helm chart. We recommend removing the previous YAML-based installation and installing the Koney Helm chart instead. Consult the 📄 README file for further details.

Uninstall Koney 0.1.0 which was installed with a single YAML file.

kubectl delete -f https://raw.githubusercontent.com/dynatrace-oss/koney/refs/tags/v0.1.0/dist/install.yaml

Install Koney 0.2.0 as a Helm chart.

helm install koney --create-namespace -n koney-system --wait oci://ghcr.io/dynatrace-oss/koney/charts/koney --version 0.2.0

Koney 0.1.0

Koney is a Kubernetes operator that enables you to define so-called deception policies for your cluster.

Find the documentation in the README file.

kubectl apply -f https://raw.githubusercontent.com/dynatrace-oss/koney/refs/tags/v0.1.0/dist/install.yaml
kubectl wait --for=condition=ready pod -n koney-system -l control-plane=controller-manager