vArmor is a cloud native container sandbox system based on AppArmor/BPF/Seccomp. It also includes multiple built-in protection rules that are ready to use out of the box.
Is your feature request related to a problem? Please describe.
We should consider supporting the dynamic removal of the BPF enforcer. This would help provide more intervention methods to mitigate issues like #97.
Describe the solution you'd like
Starting from v0.5.9, vArmor supports dynamically adding enforcers to policies. This allows users to enable corresponding enforcer's rules for new workloads without needing to recreate policies, while not affecting the existing workloads.
Considering the particularities of AppArmor & Seccomp enforcers, vArmor does not allow users to dynamically remove enforcers, as this would impact the existing workloads (especially those pods created by an operator). However, the BPF enforcer is not subject to this restriction. We should consider supporting users to update the existing policies to remove the BPF enforcer.
Describe alternatives you've considered
Of course, people can still mitigate similar issues by switching the policy to AlwaysAllow mode.
Is your feature request related to a problem? Please describe. We should consider supporting the dynamic removal of the BPF enforcer. This would help provide more intervention methods to mitigate issues like #97.
Describe the solution you'd like Starting from v0.5.9, vArmor supports dynamically adding enforcers to policies. This allows users to enable corresponding enforcer's rules for new workloads without needing to recreate policies, while not affecting the existing workloads.
Considering the particularities of AppArmor & Seccomp enforcers, vArmor does not allow users to dynamically remove enforcers, as this would impact the existing workloads (especially those pods created by an operator). However, the BPF enforcer is not subject to this restriction. We should consider supporting users to update the existing policies to remove the BPF enforcer.
Describe alternatives you've considered Of course, people can still mitigate similar issues by switching the policy to
AlwaysAllowmode.