Skip to main content
Version: v0.6

Interface Specification

VarmorPolicySpec / VarmorClusterPolicySpec

FieldSubfieldSubfieldDescription
targetkind
string
-Kind is used to specify the type of workloads for the protection targets.
Available values: Deployment, StatefulSet, DaemonSet, Pod
name
string
-Optional. Name is used to specify a specific workload name.
containers
string array
-Optional. Containers are used to specify the names of the protected containers. If it is empty, sandbox protection will be enabled for all containers within the workload (excluding initContainers and ephemeralContainers).
selector
LabelSelector
-Optional. LabelSelector is used to match workloads that meet the specified conditions.
Note: the type of workloads is determined by the KIND field.
policyenforcer
string
-Enforcer is used to specify which LSM to use for mandatory access control.
Available values: AppArmor, BPF, Seccomp, AppArmorBPF, AppArmorSeccomp, BPFSeccomp, AppArmorBPFSeccomp
mode
string
-Used to specify the protection mode.
Available values: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling, DefenseInDepth
enhanceProtecthardeningRules
string array
Optional. HardeningRules are used to specify the built-in hardening rules.
attackProtectionRules
AttackProtectionRules array
Optional. AttackProtectionRules are used to specify the built-in attack protection rules.
vulMitigationRules
string array
Optional. VulMitigationRules are used to specify the built-in vulnerability mitigation rules.
appArmorRawRules
string array
Optional. AppArmorRawRules is used to set custom AppArmor rules, each rule must end with a comma, please refer to the AppArmor Syntax.
bpfRawRules
BpfRawRules array
Optional. BpfRawRules is used to set custom BPF rules.
syscallRawRules
LinuxSyscall array
Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to this document to create custom rules.
privileged
bool
Optional. Privileged is used to identify whether the policy is for the privileged container. If set to nil or false, vArmor will build AppArmor or BPF profiles on top of the RuntimeDefault mode. Otherwise, it will build AppArmor or BPF profiles on top of the AlwaysAllow mode. (Default: false)

Note: If set to true, vArmor will not build Seccomp profile for the target workloads.
auditViolations
bool
Optional. AuditViolations determines whether to audit the actions that violate the mandatory access control rules. Currently, this feature supports AppArmor and BPF enforcers. Any detected violation will be logged to /var/log/varmor/violations.log file in the host. (Default: false)
modelingOptionsduration
int
[Experimental] Duration is the duration in minutes to modeling.
updateExistingWorkloads
bool
--Optional. UpdateExistingWorkloads is used to indicate whether to perform a rolling update on target existing workloads, thus enabling or disabling the protection of the target workloads when policies are created or deleted. (Default: false)

Note: vArmor only performs a rolling update on Deployment, StatefulSet, or DaemonSet type workloads. If .spec.target.kind is Pod, you need to rebuild the Pod yourself to enable or disable protection.
PLACEHOLDER_PLACEHOD

AttackProtectionRules

FieldDescription
rules
string array
List of built-in attack protection rules to be used.
targets
string array
Optional. Targets are used to specify the workloads to which the policy applies. They must be specified as full paths to executable files, and this feature is only effective when using AppArmor as the enforcer.
PLACEHOLDER

BpfRawRules

FieldSubfieldDescription
files
FileRule array
pattern
string
Any string (maximum length 128 bytes) that conforms to the policy syntax, used for matching file paths and filenames.
permissions
string array
Permissions are used to specify the file permissions to be disabled.
Available values: read(r), write(w), append(a), exec(e)
processes
FileRule array
-Same as above.
network
NetworkRule
egresses
NetworkEgressRule array
Optional. Egresses are the list of egress rules to be applied to restrict particular IPs and ports.
ptrace
PtraceRule
strictMode
bool
Optional. If set to false, it restricts ptrace-related permissions only for processes in other containers. If set to true, it restricts ptrace-related permissions for all processes, except those within the init mnt namespace. (Default: false)
permissions
string array
Prohibited ptrace-related permissions. Available values: trace, traceby, read, readby.
- trace: prohibiting tracing of other container processes.
- read: prohibiting reading of other container processes.
- traceby: prohibiting being traced by other processes (excluding the host processes).
- readby: prohibiting being read by other processes (excluding the host processes).
mounts
MountRule array
sourcePattern
string
Any string (maximum length 128 bytes) that conforms to the policy syntax of BPF enforcer, used for matching the source paramater of MOUNT(2), the target paramater of UMOUNT(2), and the from_pathname paramater of MOVE_MOUNT(2).
fstype
string
Any string (maximum length 16 bytes), used for matching the type of filesystem. '*' represents matching any filesystem.
flags
string array
Prohibited mount flags. They are similar to AppArmor's MOUNT FLAGS, 'all' represents matching all mount flags.
Available values: all, ro(r, read-only), rw(w), suid, nosuid, dev, nodev, exec, noexec, sync, async, mand, nomand, dirsync, atime, noatime, diratime, nodiratime, silent, loud, relatime, norelatime, iversion, noiversion, strictatime, nostrictatime, remount, bind(B), move(M), rbind(R), make-unbindable, make-private(private), make-slave(slave), make-shared(shared), make-runbindable, make-rprivate, make-rslave, make-rshared, umount
PLACEHOLDER_PLACEHOLDER_PLACEHOD

NetworkEgressRule

FieldDescription
ipBlock
string
Optional. IPBlock defines policy on a particular IPBlock with CIDR. If this field is set then neither of the IP field can be. For example:
* 192.168.1.1/24 represents IP addresses within the range of 192.168.1.0 to 192.168.1.255.
* 2001:db8::/32 represents IP addresses within the range of 2001:db8:: to 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
ip
string
Optional. IP defines policy on a particular IP. If this field is set then neither of the IPBlock field can be.
port
int
Optional. Port defines policy on a particular port. If this field is zero or missing, this rule matches all ports.
Available values: 1 to 65535
PLACEHOLDER