Skip to main content
Version: main

The Policy Modes

Overview

The modes can be specified through the spec.policy.mode field of VarmorPolicy or VarmorClusterPolicy objects. The modes supported by different enforcers are shown in the following table.

Policy ModeAppArmorBPFSeccompDescription
AlwaysAllow✔️✔️✔️No mandatory access control rules are imposed on container.
RuntimeDefault✔️✔️✔️Basic protection is provided using the same default policy as the container runtime components (such as containerd's cri-containerd.apparmor.d).
EnhanceProtect✔️✔️✔️- It offers 5 types of built-in rules and custom interfaces to meet various protection requirements.
- Enhanced protection is based on the RuntimeDefault mode by default. (The spec.policy.privileged field is nil or false)
- Also supports enhanced protection on the basis of the AlwaysAllow mode. (The spec.policy.privileged field is true)
BehaviorModeling✔️🏗️✔️- Utilize BPF and Audit technologies to perform behavior modeling on multiple workloads.
- The behavior model will be stored in the corresponding ArmorProfileModel object.
- Dynamic switching mode is not supported.
- Please refer to the BehaviorModeling Mode for more details.
DefenseInDepth✔️✔️Protect the workloads based on the ArmorProfileModel object.

Note:

  • vArmor policy supports dynamic switching of running modes (limited to AlwaysAllow, EnhanceProtect, RuntimeDefault, DefenseInDepth) and updating sandbox rules without having to restart the workloads. However, when using the Seccomp enforcer, the workload must be restarted for changes to the Seccomp Profile to take effect.
  • vArmor supports modifying policies to add new enforcers, but does not support removing enforcers that have been set. In addition, newly added enforcers only take effect for newly created Workloads.

Experimentals