Skip to main content
Version: v0.8

The Policy Modes

Overview

The modes can be specified through the spec.policy.mode field of VarmorPolicy or VarmorClusterPolicy objects. The modes supported by different enforcers are shown in the following table.

Policy ModeAppArmorBPFSeccompDescription
AlwaysAllow✔️✔️✔️No mandatory access control rules are imposed on container.
RuntimeDefault✔️✔️✔️Basic protection is provided by using the default profile of containerd. See cri-containerd.apparmor.d and seccomp_default.
EnhanceProtect✔️✔️✔️- Predefined Built-in Rules are ready to use out of the box.
- Tailor protection policies to specific requirements via customizable interfaces.
- Support Alarm-Only and Alarm-Interception modes for monitoring and auditing.
- Generate AppArmor/BPF profiles based on RuntimeDefault or AlwaysAllow modes.
BehaviorModeling✔️🏗️✔️- Uses BPF and audit technologies to perform behavior modeling across workloads.
- Behavior models are stored in the corresponding ArmorProfileModel object.
- Does not support dynamic mode switching.
- See BehaviorModeling Mode for details.
DefenseInDepth✔️🏗️✔️- Provide Deny-by-Default protection via the behavior model or custom profiles.
- Provide custom rule interfaces and alarm-only mode to develop and manage profiles.
- See DefenseInDepth Mode for details.

Note:

  • vArmor policy supports dynamic switching of running modes (limited to AlwaysAllow, EnhanceProtect, RuntimeDefault, DefenseInDepth) and updating sandbox rules without having to restart the workloads. However, when using the Seccomp enforcer, the workload must be restarted for changes to the Seccomp Profile to take effect.
  • vArmor supports modifying policies to add new enforcers, and the newly added enforcers only take effect on newly created Workloads.
  • vArmor supports modifying policies to remove the BPF enforcer.

Experimentals