跳到主要内容
版本:v0.6

Comparison Testing

To further compare different Enforcers in real scenarios, we used the Phoronix Test Suite (PTS) to conduct a series of automated performance tests on some common loads (Redis, Apache, etc.).

Test Environment

  • Cluster version: v1.26.10-vke.18
  • Number of nodes: 3
  • Nodes with AppArmor & BPF LSM enabled by default
  • Node specifications: ecs.g3i.xlarge (4vCPU 16GiB)

Test Scenarios

In this round of testing, we performed horizontal comparisons of two enforcers: AppArmor and BPF. Each enforcer was tested in three typical scenarios, including AlwaysAllow, RuntimeDefault, and EnhanceProtect. The policies for each scenario are as follows:

  • Init Benchmark

    No policy applied

  • AlwaysAllow

    Tested with AlwaysAllow Mode, no rules enabled

  • RuntimeDefault

    Tested with RuntimeDefault Mode, no rules enabled

  • EnhanceProtect

    Tested with EnhanceProtect Mode, with the following rules enabled:

    • disable-cap-privilege
    • disallow-umount
    • disallow-access-procfs-root
    • mitigate-disk-device-number-leak
    • mitigate-sa-leak
    • mitigate-overlayfs-leak
    • mitigate-host-ip-leak
    • disallow-metadata-service
    • cgroups-lxcfs-escape-mitigation
    • runc-override-mitigation

In addition, we also tested the Seccomp enforcer with the currently available four rules. This test is for reference only and is not used as a performance benchmark or comparison.

The policy files used for the tests can be found in the test/perf/policy directory.

Test Steps

We wrote a bash script to automate the testing process, which mainly completes the following tasks:

  • Create and delete Pods in the Kubernetes cluster.
  • Apply and remove different security policies.
  • Initialize test configurations, install test tools, and run the Phoronix Test Suite.
  • Record the test results.

Specifically, for the Init Benchmark, BPF, and Seccomp modes, we used different Pod configurations and enabled container.apparmor.security.beta.kubernetes.io/phoronix: unconfined to ensure AppArmor was not enabled, avoiding the default AppArmor profile from affecting the test results.

You can find the Pod definitions and Phoronix runtime configurations in the test/perf/policy directory. The automation test script is also located in the test/perf directory. Additionally, we have written separate test scripts for sysbench and unixbench, which you can use if you are interested in conducting your own tests.

Test Results

  • EnhanceProtect: The performance of BPF decreased by about 1.2% compared to AppArmor.
  • RuntimeDefault: The performance of BPF decreased by about 0.6% compared to AppArmor.
  • AlwaysAllow: The performance of BPF decreased by about 0.1% compared to AppArmor.

image

The analysis results shows that although BPF generally exhibits slight performance degradation compared to AppArmor in different scenarios, the differences are relatively small. This indicates that BPF is a feasible alternative to AppArmor with acceptable performance overhead in security applications.

Below are the detailed test results for each scenario:

Phoronix-Apache

Requests Per Second-Higher is better

Test ScenarioApache Concurrent Requests 4Apache Concurrent Requests 20Apache Concurrent Requests 100Apache Concurrent Requests 200Apache Concurrent Requests 500Apache Concurrent Requests 1000
NoProtect16838.617073.816961.7816619.6514029.1911944.99
AlwaysAllow AppArmor16469.4116505.8416764.1416312.6913750.2411729.78
AlwaysAllow BPF16452.9416489.3316747.3816296.3813736.4911718.05
RuntimeDefault AppArmor16376.5416067.0916461.3916242.6913385.8711599.9
RuntimeDefault BPF16360.1616051.0216444.9316226.4513372.4811588.3
Enhance AppArmor15833.4315802.8416385.1916101.5113276.1611429.32
Enhance BPF15817.615787.0416368.816085.4113262.8811417.89
Seccomp14882.4315035.1215454.2415312.2512870.2811162.86

Phoronix-GIMP

Time Usage-Lower is better

Test ScenarioGIMP Resize TimesGIMP RotateTimesGIMP Auto-Levels TimesGIMP Unsharp-Mask Times
NoProtect16.61611.84216.54319.888
AlwaysAllow AppArmor16.67211.95116.65820.04
AlwaysAllow BPF16.87212.09416.85820.28
RuntimeDefault AppArmor16.73711.97716.73420.221
RuntimeDefault BPF16.76212.04416.88720.289
Enhance AppArmor16.85511.95816.81420.312
Enhance BPF16.87612.10116.94720.411
Seccomp16.91512.86318.08221.096

Phoronix-Redis

Requests Per Second-Higher is better

Test ScenarioGET Connection 50SETConnection 50GETConnection 500SET Connection 500LPOPConnection 500
NoProtect23565171612305194451416140232298349
AlwaysAllow AppArmor23368921610689193603516051862287682
AlwaysAllow BPF23228701601025192441815955552273956
RuntimeDefault AppArmor23160041610480195758615981562281477
RuntimeDefault BPF23021081600817194584015885672267788
Enhance AppArmor23144581597515192952815896302252763
Enhance BPF23005711587930191795115800932239246
Seccomp22804761596606187522915470452316358

Phoronix-Sysbench

Higher is better

Test ScenarioSysbenchRam/MemorySysbenchCPU
NoProtect4189.512831.65
AlwaysAllow AppArmor4030.552821.5
AlwaysAllow BPF4026.5192818.679
RuntimeDefault AppArmor4023.672818.7
RuntimeDefault BPF4019.6462815.881
Enhance AppArmor3939.252808.13
Enhance BPF3935.3112805.322
Seccomp4138.072832.87