README
¶
vArmor is a cloud-native container sandbox system. It leverages Linux's AppArmor LSM, BPF LSM and Seccomp technologies to implement enforcers. It can be used to strengthen container isolation, reduce the kernel attack surface, and increase the difficulty and cost of container escape or lateral movement attacks. You can leverage vArmor in the following scenarios to provide sandbox protection for containers within a Kubernetes cluster.
- In multi-tenant environments, hardware-virtualized container solutions cannot be employed due to factors such as cost and technical conditions.
- You want to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move.
- When high-risk vulnerabilities are present but immediate remediation is not possible due to the difficulty or lengthy process of patching, vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation.
Note:
- The core of security defense lies in balancing risks and benefits, transforming uncontrollable risks into controllable costs by choosing different types of security boundaries and defense technologies.
- runc + vArmor does not provide an isolation level equivalent to that of hardware virtualization containers (such as Kata Containers and other lightweight virtual machines). If you require a high-intensity isolation solution, please consider using hardware virtualization containers for compute isolation, and utilize CNI's NetworkPolicy for network isolation.
vArmor Features:
- Cloud-Native. vArmor follows the Kubernetes Operator design pattern, allowing users to harden specific workloads by manipulating the CRD API. This approach enables sandboxing of containerized microservices from a perspective closely aligned with business needs.
- Multiple Enforcers. vArmor abstracts AppArmor, BPF, and Seccomp as enforcers, supporting their use individually or in combination. This enables enforcing access control on container file access, process execution, network outbound, syscalls, and more.
- Allow-by-Default. vArmor currently focuses on supporting this model, where only explicitly declared behaviors will be blocked, which effectively minimizes performance impact and enhances usability. Besides, it supports auditing violations, and these violations can also be allowed rather than blocked.
- Built-in Rules. vArmor features a range of built-in rules ready to use out of the box. They are designed for the Allow-by-Default security model, eliminating the need for expertise in security profile creation.
- Behavior Modeling. vArmor features a range of built-in rules ready to use out of the box. They are designed for the Allow-by-Default security model, eliminating the need for expertise in security profile creation.
- Deny-by-Default. vArmor is capable of using allowlist profiles to harden workloads and provide a more user-friendly approach to develop and manage profiles.
vArmor was created by the Elkeid Team of the endpoint security department at ByteDance. And the project is still in active development.
Documentation
vArmor reference documents are available at varmor.org.
⚙️ Installation
Contributing
Thanks for your interest in contributing to vArmor! Here are some steps to help get you started:
🤝🏻 Read and agree to the code of conduct.
🛠️ Read the development guide.
💬 Join vArmor Lark group.
License
The vArmor project is licensed under Apache 2.0, except for third party components which are subject to different license terms. Please refer to the code header information in the code files.
Your integration of vArmor into your own projects should require compliance with the Apache 2.0 License, as well as the other licenses applicable to the third party components included within vArmor.
The eBPF code is located at vArmor-ebpf and licensed under GPL-2.0.
Credits
vArmor use cilium/ebpf to manage and interact with the eBPF program.
vArmor references part of the code of kyverno developed by Nirmata.
Demo
Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from cve-2021-22555)
404Starlink
vArmor has joined 404Starlink
Directories
¶
| Path | Synopsis |
|---|---|
|
apis
|
|
|
varmor/v1beta1
Package v1beta1 contains API Schema definitions for the varmor v1beta1 API group +kubebuilder:object:generate=true +groupName=crd.varmor.org
|
Package v1beta1 contains API Schema definitions for the varmor v1beta1 API group +kubebuilder:object:generate=true +groupName=crd.varmor.org |
|
cmd
|
|
|
varmor
command
|
|
|
internal
|
|
|
agent
Package agent implements the function of vArmor agent
|
Package agent implements the function of vArmor agent |
|
apm
Package apm provides the functions to operate the ArmorProfileModel object
|
Package apm provides the functions to operate the ArmorProfileModel object |
|
behavior
Package behavior is used to process the behavior data of targets
|
Package behavior is used to process the behavior data of targets |
|
behavior/preprocessor
Package preprocessor processes the audit events of AppArmor and Seccomp
|
Package preprocessor processes the audit events of AppArmor and Seccomp |
|
behavior/recorder
Package recorder records the events of AppArmor and Seccomp, and the events from processtracer
|
Package recorder records the events of AppArmor and Seccomp, and the events from processtracer |
|
config
Package config is used to store the configuration of vArmor
|
Package config is used to store the configuration of vArmor |
|
ipwatcher
Package ipwatcher watches the IP and port changes of pods, services and endpointslices
|
Package ipwatcher watches the IP and port changes of pods, services and endpointslices |
|
policy
Package policy implements the VarmorPolicy and VarmorClusterPolicy controllers
|
Package policy implements the VarmorPolicy and VarmorClusterPolicy controllers |
|
policycacher
Package policycacher caches the VarmorPolicy and VarmorClusterPolicy objects for the admission webhook
|
Package policycacher caches the VarmorPolicy and VarmorClusterPolicy objects for the admission webhook |
|
profile
Package profile generates the AppArmor/Seccomp/BPF profiles for policies
|
Package profile generates the AppArmor/Seccomp/BPF profiles for policies |
|
profile/apparmor
Package apparmor generates the AppArmor profile
|
Package apparmor generates the AppArmor profile |
|
profile/bpf
Package bpf generates the BPF profile
|
Package bpf generates the BPF profile |
|
profile/seccomp
Package seccomp generates the Seccomp profile
|
Package seccomp generates the Seccomp profile |
|
status
Package status implements the service of manager
|
Package status implements the service of manager |
|
status/apis/v1
Package statusmanagerv1 implements version v1 of status manager to handle the status from agents.
|
Package statusmanagerv1 implements version v1 of status manager to handle the status from agents. |
|
status/apis/v1beta1
Package modelmanagerv1beta1 implements the v1beta1 version of the interface to access the ArmorProfileModel objects
|
Package modelmanagerv1beta1 implements the v1beta1 version of the interface to access the ArmorProfileModel objects |
|
status/common
Package common provides common functions for the status service
|
Package common provides common functions for the status service |
|
tls
Package tls implements the certificate renewer for the admission webhook
|
Package tls implements the certificate renewer for the admission webhook |
|
types
Package types defines the types used in vArmor.
|
Package types defines the types used in vArmor. |
|
utils
Package utils implements the utils for vArmor.
|
Package utils implements the utils for vArmor. |
|
webhookconfig
Package webhookconfig implements the webhook register and cert manager for the admission webhook.
|
Package webhookconfig implements the webhook register and cert manager for the admission webhook. |
|
webhooks
Package webhooks implements the webhook server for the admission webhook.
|
Package webhooks implements the webhook server for the admission webhook. |
|
pkg
|
|
|
auditor
Package audit is used to audit the violations of target containers, and send the audit event to subscribers.
|
Package audit is used to audit the violations of target containers, and send the audit event to subscribers. |
|
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
|
This package has the automatically generated fake clientset. |
|
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
|
This package contains the scheme of the automatically generated clientset. |
|
client/clientset/versioned/typed/varmor/v1beta1
This package has the automatically generated typed clients.
|
This package has the automatically generated typed clients. |
|
client/clientset/versioned/typed/varmor/v1beta1/fake
Package fake has the automatically generated clients.
|
Package fake has the automatically generated clients. |
|
lsm/apparmor
Package apparmor interacts with the AppArmor LSM
|
Package apparmor interacts with the AppArmor LSM |
|
lsm/bpfenforcer
Package bpfenforcer manages the BPF programs and interacts with them through the BPF maps
|
Package bpfenforcer manages the BPF programs and interacts with them through the BPF maps |
|
lsm/utils
Package utils provides utils
|
Package utils provides utils |
|
metrics
Package metrics implements metrics module
|
Package metrics implements metrics module |
|
processtracer
Package tracer implements process tracer module
|
Package tracer implements process tracer module |
|
runtime
Package runtime implements a monitor to watch the task events
|
Package runtime implements a monitor to watch the task events |
|
seccomp
Package seccomp processes the seccomp profile
|
Package seccomp processes the seccomp profile |
|
signal
Package signal implements signal handler
|
Package signal implements signal handler |
|
types
Package types defines the types used in vArmor
|
Package types defines the types used in vArmor |
|
utils
Package utils implements utils
|
Package utils implements utils |