Skip to main content
Version: v0.6

Usage Instructions

Interface Operations

vArmor provides API interfaces through VarmorPolicy and VarmorClusterPolicy CR. The VarmorClusterPolicy CR have higher priority than VarmorPolicy CR. It means prioritizing the use of VarmorClusterPolicy objects to protect matched workloads. You can create, modify, and delete VarmorPolicy or VarmorClusterPolicy objects in the cluster to protect specified workloads.

vArmor supports performing a rolling restart of existing workloads that meet the matching conditions when a VarmorPolicy or VarmorClusterPolicy object is created or deleted. This rolling restart enables or disables protection for those workloads.

The following constraints and usage requirements must also be observed:

  • Workloads must have the label sandbox.varmor.org/enable="true" to be processed by vArmor's webhook server during creation and updates. If they meet the matching conditions specified in a VarmorPolicy or VarmorClusterPolicy object's spec.target, vArmor will enable sandbox for them.
  • Once a VarmorPolicy or VarmorClusterPolicy object is created, its spec.target cannot be changed. Please create a new VarmorPolicy or VarmorClusterPolicy with the desired target to make changes.
  • After creating a VarmorPolicy or VarmorClusterPolicy object, you can dynamically switch the policy mode and update rules by updating spec.policy. However, switching from BehaviorModeling mode to other modes is not supported, and vice versa (Note: Switching policy mode and updating rules does not require triggering a rolling restart of workloads).

State Management

You can check the status of VarmorPolicy or VarmorClusterPolicy object to get information about the processing stage, error messages, and the processing status of AppArmor/BPF/Seccomp Profiles.

You can check the profileName field by examining the status of VarmorPolicy or VarmorClusterPolicy object. Afterwards, you can look at the corresponding ArmorProfile object with the same name to obtain the status and error information when the Agent processes the Profile.

Log Management

vArmor's manager and agent components currently log messages only to standard output.

You can leverage logging components for collection and configuring alerts. Such as \* | select count(*) as ErrCount where __content__ LIKE 'E%'

System Interface

VarmorPolicy

  • Namespace-scoped resource, consistent with the namespace of the protected object.

  • The VarmorPolicy interface details can be found in Interface Specification.

  • The definition of VarmorPolicy can be found in VarmorPolicy CRD.

  • Explanation of VarmorPolicy/Status:

    FieldsValueInterpretation
    PhasePendingThe ArmorProfile has been created, waiting for a response from the Agent component.
    ProtectingEnforcing access control on the containers of the target workload.
    ModelingCurrently modeling the behavior of the target application.
    CompletedBehavior modeling for the target application has been completed.
    ErrorError occurred, please retrieve error information through the conditions fields.
    ConditionsType=Created
    Status=True
    The creation event of VarmorPolicy has been responded by the controller and processed successfully.
    Type=Created
    Status=False
    Reason=XXX
    Message=YYY
    The creation event of VarmorPolicy has been responded to by the controller, but processing has failed. This includes the reason for the failure and error information.
    Type=Updated
    Status=True
    The update event of VarmorPolicy has been responded to by the controller and processed successfully.
    Type=Updated
    Status=False
    Reason=XXX
    Message=YYY
    The update event of VarmorPolicy has been responded to by the controller, but processing has failed. This includes the reason for the failure and error information.
    ReadyTrueThe profile has been processed and loaded by all agents.
    FalseThe profile has not yet been processed and loaded by all agents.

VarmorClusterPolicy

  • Cluster-scoped resource.
  • The VarmorClusterPolicy interface details can be found in Interface Specification
  • The definition of VarmorClusterPolicy can be found in VarmorClusterPolicy CRD
  • VarmorClusterPolicy/Status same as VarmorPolicy/Status

ArmorProfile

  • Namespace-scoped resource, consistent with the namespace of the protected object or the namespace of the vArmor components.

  • As an internal interface, used by vArmor only.

  • The definition of ArmorProfile can be found in ArmorProfile CRD.

  • Explanation of ArmorProfile/Status:

    FieldsValueInterpretation
    DesiredNumberLoadedintThe desired number of agents for processing and responding
    CurrentNumberLoadedintThe number of agents that have already been processed and responded.
    Conditionstype=Read
    Status=False
    NodeName=XXX
    Message=YYY
    The failed node and error information

Example

The following example is for demonstration of functionality only, and should not be considered as recommended policy.

apiVersion: crd.varmor.org/v1beta1
kind: VarmorPolicy
metadata:
name: deployment-policy
namespace: default
spec:
target:
kind: Deployment
selector:
matchLabels:
app: nginx
matchExpressions:
- key: environment
operator: In
values: [dev, qa]
policy:
enforcer: AppArmor
mode: EnhanceProtect
enhanceProtect:
hardeningRules:
- disable_cap_privileged
- disable_cap_net_raw
attackProtectionRules:
- rules:
- disable-write-etc
- rules:
- mitigate-sa-leak
targets:
- "/bin/sh"
- "/usr/bin/sh"
- "/bin/dash"
- "/usr/bin/dash"
- "/bin/bash"
- "/usr/bin/bash"
- "/bin/busybox"
- "/usr/bin/busybox"

The policy enables sandbox with EnhanceProtect mode for deployments in the default namespace (with sandbox.varmor.org/enable="true" and app=nginx labels, and an environment label value of dev or qa).

The built-in rules used are as follows:

  • Disable all privileged capabilities (those that can lead to escapes)
  • Disable CAP_NET_RAW capability (Prohibit the use of the AF_PACKET protocol family to create sockets, preventing the construction of link-layer packets and activities like network sniffing.)
  • Prohibit writing to the /etc directory
  • Prohibit shell and its subprocesses from accessing the container's ServiceAccount information

Demos

Here are some demos on how to use vArmor to mitigate vulnerabilities or harden containers with privileged capabilities.