v0.8.2

Features

• Mode Switching Enhancement. Allow mutual conversion between all modes. (#238)
• Update Seccomp profile to AlwaysAllow post-behavior modeling (#240)
• Add ArmorProfileModel Import API (#242)
• Add Persistent Volume Support for LocalDisk ArmorProfileModel Data (#243)

Refactors

• Refactor webhook config generation for modularity and reduced redundancy (#241)
• Improve Audit Event Filtering Accuracy with Profile Names and Mount Namespace IDs (#245)

Full Changelog: v0.8.1...v0.8.2

v0.8.1

Features

• Added the block-access-to-container-runtime built-in rule
• Injected the accountID, region, clusterID, etc. fields into the component logs if they are configured with the auditEventMetadata values
• Injected the namespace where the vArmor is deployed into the violation logs
• Added container image to the violation logs

Refactors

• Patched leader pod with pod name
• Passed service ports through environment variables
• Made the state feedback logic of the agent clearer

Fixes

• Ensured that integers in the auditEventMetadata values can be output to the logs

Full Changelog: v0.8.0...v0.8.1

v0.8.0

vArmor v0.8.0 has been released. For a comprehensive overview of the new features, refer to our blog.

Added

• Added a self-hosted runner and e2e test cases for the BPF enforcer (#205)
• Supported defining multiple ports and port ranges for network egress rules (#202)
• Added PodServiceEgressControl feature for restricting access to pods and services (#206, #216, #217, #221)
• Added a pod-self entity to restrict containers from accessing the IP of the Pod they are located in (#207)
• Added an unspecified entity to restrict containers from accessing the 0.0.0.0 and :: (#208)
• Added a localhost entity to restrict containers from accessing the loopback address (#209)
• Enhanced DefenseInDepth mode with flexible profile sources and observation support (#210)
• Extracted profile name from the Pod annotation and added it to the violation event for improved log traceability (#210)
• Supported injecting metadata into the violation event (#214)
• Supported BPF enforcer removal from existing policies (#213)
• Added the block-access-to-kube-apiserver built-in rule (#222)
• Added the ingress-nightmare-mitigation built-in rule (#222)

Changed

• Saved AppArmor and Seccomp profiles as plain text into the CR object (#201)
• Enhanced concurrency safety for status synchronization (#201)
• Extracted common fields from CRD definitions into a common file (#210)
• Upgraded libseccomp-golang to v0.11.0 (#210)
• Improved error handling in ArmorProfile processing to collect all profile errors (#212)
• Set default qps and burst values for Kubernetes client (#218)
• Increased the value of MaxTargetContainerCountForBpfLsm from 100 to 110 (#207)

Full Changelog: v0.7.1...v0.8.0

release v0.8.0-beta.1

Merge pull request #211 from bytedance/update-docs

Update the documentation for version 0.8

release v0.8.0-alpha2

Merge pull request #214 from bytedance/inject-metadata-to-audit-event

feat: Add Custom Metadata Injection to Audit Events

release v0.8.0-alpha1

Merge pull request #210 from bytedance/refactor-defense-in-depth

feat: Enhance `DefenseInDepth` mode with flexible profiles and audit traceability

release v0.7.1

What's Changed

• Fixed the path matching issue in the procfs to ensure correct FD matching.
• Fixed incorrect interception of legitimate setsockopt calls in the disallow-load-bpf-via-setsockopt rule (#199)

Full Changelog: v0.7.0...v0.7.1

release v0.6.4

What's Changed

• Fixed incorrect interception of legitimate setsockopt calls in the disallow-load-bpf-via-setsockopt rule (#199)

Full Changelog: v0.6.3...v0.6.4

release v0.7.0

What's Changed

Added

• Added an AllowViolations field to the VarmorPolicy and VarmorClusterPolicy CRD.
• Supported the observation mode for AppArmor, BPF and Seccomp enforcers.
• Logged the violation events that are not blocked into the violations.log file at debug level.
• Added a StorageType field to the ArmorProfileModel CRD.
• Added a STORAGE-TYPE field to the additional printer columns of the ArmorProfileModel resources to provide more detailed information when viewing the resources via the kubectl command-line tool.
• Mounted an emptyDir data volume to the agent and the manager when the behavior modeling feature is enabled.
• Manager saves the behavior data and profiles into a local file within the data volume when the ArmorProfileModel object exceeds the limit.
• Agent caches the audit data in the data volume during modeling.
• Supported exporting the complete ArmorProfileModel object from the interface of the manager.
• All interfaces of the manager are exposed at the /apis path.
• Added a --logFormat command-line option and allowed outputting logs in JSON format.
• Modified the AppArmorRawRules structure of the VarmorPolicy and VarmorClusterPolicy CRD to support setting custom rules for specific executable files.
• Forced agents to update profiles whose status did not meet the expected criteria periodically.
• Loaded the profiles from the local file if the StorageType field of ArmorProfileModel object is LocalDisk when the policy is running in DefenseInDepth mode.
• Added a --set jsonLogFormat.enabled=true option for switching log format to JSON.

Fixed

• Agent exposed the readinessProbe on port 6080 by default if it was not in a container.
• Accessed the classifier through the varmor-classifier-svc service when the agent was running in a container.
• Increased the wait time for timeout retry.
• Switched log level from 3 to 2 for tracing.

Full Changelog: v0.6.3...v0.7.0

release v0.7.0-alpha2

Release 0.7.0-alpha2