The Policy Modes
Overview
The modes can be specified through the spec.policy.mode field of VarmorPolicy or VarmorClusterPolicy objects. The modes supported by different enforcers are shown in the following table.
| Policy Mode | AppArmor | BPF | Seccomp | Description |
|---|---|---|---|---|
| AlwaysAllow | ✔️ | ✔️ | ✔️ | No mandatory access control rules are imposed on container. |
| RuntimeDefault | ✔️ | ✔️ | ✔️ | Basic protection is provided by using the default profile of containerd. See cri-containerd.apparmor.d and seccomp_default. |
| EnhanceProtect | ✔️ | ✔️ | ✔️ | - Predefined Built-in Rules are ready to use out of the box. - Tailor protection policies to specific requirements via customizable interfaces. - Support Alarm-Only and Alarm-Interception modes for monitoring and auditing. - Generate AppArmor/BPF profiles based on RuntimeDefault or AlwaysAllow modes. |
| BehaviorModeling | ✔️ | 🏗️ | ✔️ | - Uses BPF and audit technologies to perform behavior modeling across workloads. - Behavior models are stored in the corresponding ArmorProfileModel object. - See BehaviorModeling Mode for details. |
| DefenseInDepth | ✔️ | 🏗️ | ✔️ | - Provide Deny-by-Default protection via the behavior model or custom profiles. - Provide custom rule interfaces and alarm-only mode to develop and manage profiles. - See DefenseInDepth Mode for details. |
Notes
- vArmor policy supports dynamic switching the running mode and updating sandbox rules without restarting the workloads. The following scenarios require special handling:
- When using the Seccomp enforcer, the workload needs to be restarted for changes to the Seccomp Profile to take effect.
- The BehaviorModeling mode can only be switched to other modes after the modeling is completed.
- When switching to BehaviorModeling mode from other modes or when the modeling has already been completed, you need to update the modeling duration and restart the target workload to restart the modeling process.
- vArmor supports modifying policies to add new enforcers, and the newly added enforcers only take effect on newly created Workloads.
- vArmor supports modifying policies to remove the BPF enforcer.
Experimentals
📄️ BehaviorModeling Mode
Gather behavior data and build profiles for target workloads.
📄️ DefenseInDepth Mode
Protect the workloads based on the behavior model.