Interface Specification
VarmorPolicySpec / VarmorClusterPolicySpec
Field | Subfield | Subfield | Description |
---|---|---|---|
target | kind string | - | Kind is used to specify the type of workloads for the protection targets. Available values: Deployment, StatefulSet, DaemonSet, Pod |
name string | - | Optional. Name is used to specify a specific workload name. | |
containers string array | - | Optional. Containers are used to specify the names of the protected containers. If it is empty, sandbox protection will be enabled for all containers within the workload (excluding initContainers and ephemeralContainers). | |
selector LabelSelector | - | Optional. LabelSelector is used to match workloads that meet the specified conditions. Note: the type of workloads is determined by the KIND field. | |
policy | enforcer string | - | Enforcer is used to specify which LSM to use for mandatory access control. Available values: AppArmor, BPF, Seccomp, AppArmorBPF, AppArmorSeccomp, BPFSeccomp, AppArmorBPFSeccomp |
mode string | - | Used to specify the protection mode. Available values: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling, DefenseInDepth | |
enhanceProtect | hardeningRules string array | Optional. HardeningRules are used to specify the built-in hardening rules. | |
attackProtectionRules AttackProtectionRules array | Optional. AttackProtectionRules are used to specify the built-in attack protection rules. | ||
vulMitigationRules string array | Optional. VulMitigationRules are used to specify the built-in vulnerability mitigation rules. | ||
appArmorRawRules string array | Optional. AppArmorRawRules is used to set custom AppArmor rules, each rule must end with a comma, please refer to the AppArmor Syntax. | ||
bpfRawRules BpfRawRules array | Optional. BpfRawRules is used to set custom BPF rules. | ||
syscallRawRules LinuxSyscall array | Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to this document to create custom rules. | ||
privileged bool | Optional. Privileged is used to identify whether the policy is for the privileged container. If set to nil or false , vArmor will build AppArmor or BPF profiles on top of the RuntimeDefault mode. Otherwise, it will build AppArmor or BPF profiles on top of the AlwaysAllow mode. (Default: false)Note: If set to true , vArmor will not build Seccomp profile for the target workloads. | ||
auditViolations bool | Optional. AuditViolations determines whether to audit the actions that violate the mandatory access control rules. Currently, this feature supports AppArmor and BPF enforcers. Any detected violation will be logged to /var/log/varmor/violations.log file in the host. (Default: false) | ||
modelingOptions | duration int | [Experimental] Duration is the duration in minutes to modeling. | |
updateExistingWorkloads bool | - | - | Optional. UpdateExistingWorkloads is used to indicate whether to perform a rolling update on target existing workloads, thus enabling or disabling the protection of the target workloads when policies are created or deleted. (Default: false) Note: vArmor only performs a rolling update on Deployment, StatefulSet, or DaemonSet type workloads. If .spec.target.kind is Pod, you need to rebuild the Pod yourself to enable or disable protection. |
PLACEHOLDER_PLACEHOD |
AttackProtectionRules
Field | Description |
---|---|
rules string array | List of built-in attack protection rules to be used. |
targets string array | Optional. Targets are used to specify the workloads to which the policy applies. They must be specified as full paths to executable files, and this feature is only effective when using AppArmor as the enforcer. |
PLACEHOLDER |
BpfRawRules
Field | Subfield | Description |
---|---|---|
files FileRule array | pattern string | Any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching file paths and filenames. |
permissions string array | Permissions are used to specify the file permissions to be disabled. Available values: read(r), write(w), append(a), exec(e) | |
processes FileRule array | - | Same as above. |
network NetworkRule | egresses NetworkEgressRule array | Optional. Egresses are the list of egress rules to be applied to restrict particular IPs and ports. |
ptrace PtraceRule | strictMode bool | Optional. If set to false, it restricts ptrace-related permissions only for processes in other containers. If set to true, it restricts ptrace-related permissions for all processes, except those within the init mnt namespace. (Default: false) |
permissions string array | Prohibited ptrace-related permissions. Available values: trace, traceby, read, readby . - trace : prohibiting tracing of other container processes. - read : prohibiting reading of other container processes. - traceby : prohibiting being traced by other processes (excluding the host processes). - readby : prohibiting being read by other processes (excluding the host processes). | |
mounts MountRule array | sourcePattern string | Any string (maximum length 128 bytes) that conforms to the policy syntax of BPF enforcer, used for matching the source paramater of MOUNT(2), the target paramater of UMOUNT(2), and the from_pathname paramater of MOVE_MOUNT(2). |
fstype string | Any string (maximum length 16 bytes), used for matching the type of filesystem. '*' represents matching any filesystem. | |
flags string array | Prohibited mount flags. They are similar to AppArmor's MOUNT FLAGS, 'all' represents matching all mount flags. Available values: all, ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount | |
PLACEHOLDER_ | PLACEHOLDER_PLACEHOD |
NetworkEgressRule
Field | Description |
---|---|
ipBlock string | Optional. IPBlock defines policy on a particular IPBlock with CIDR. If this field is set then neither of the IP field can be. For example: * 192.168.1.1/24 represents IP addresses within the range of 192.168.1.0 to 192.168.1.255. * 2001:db8::/32 represents IP addresses within the range of 2001:db8:: to 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff |
ip string | Optional. IP defines policy on a particular IP. If this field is set then neither of the IPBlock field can be. |
port int | Optional. Port defines policy on a particular port. If this field is zero or missing, this rule matches all ports. Available values: 1 to 65535 |
PLACEHOLDER |