Merge pull request #158 from bytedance/support-observation-mode

feat: Support observation mode
bytedance · Jan 2, 2025 · 4dda79a · 4dda79a
2 parents fe6814a + c381ab5
commit 4dda79a
Show file tree

Hide file tree

Showing 19 changed files with 419 additions and 238 deletions.
diff --git a/apis/varmor/v1beta1/varmorpolicy_types.go b/apis/varmor/v1beta1/varmorpolicy_types.go
@@ -191,6 +191,13 @@ type EnhanceProtect struct {
 	// Default is false.
 	// +optional
 	AuditViolations bool `json:"auditViolations,omitempty"`
+	// AllowViolations determines whether to allow the actions that are against the mandatory
+	// access control rules. Currently, this feature supports AppArmor and BPF enforcers.
+	// Any detected violation will be allowed instead of being blocked.
+	//
+	// Default is false.
+	// +optional
+	AllowViolations bool `json:"allowViolations,omitempty"`
 }
 
 type ModelingOptions struct {

diff --git a/config/crds/crd.varmor.org_varmorclusterpolicies.yaml b/config/crds/crd.varmor.org_varmorclusterpolicies.yaml
@@ -80,6 +80,13 @@ spec:
                     description: EnhanceProtect is used to specify which built-in
                       or custom rules are employed to protect the target workloads.
                     properties:
+                      allowViolations:
+                        description: "AllowViolations determines whether to allow
+                          the actions that are against the mandatory access control
+                          rules. Currently, this feature supports AppArmor and BPF
+                          enforcers. Any detected violation will be allowed instead
+                          of being blocked. \n Default is false."
+                        type: boolean
                       appArmorRawRules:
                         description: AppArmorRawRules is used to set native AppArmor
                           rules, each rule must end with a comma

diff --git a/config/crds/crd.varmor.org_varmorpolicies.yaml b/config/crds/crd.varmor.org_varmorpolicies.yaml
@@ -79,6 +79,13 @@ spec:
                     description: EnhanceProtect is used to specify which built-in
                       or custom rules are employed to protect the target workloads.
                     properties:
+                      allowViolations:
+                        description: "AllowViolations determines whether to allow
+                          the actions that are against the mandatory access control
+                          rules. Currently, this feature supports AppArmor and BPF
+                          enforcers. Any detected violation will be allowed instead
+                          of being blocked. \n Default is false."
+                        type: boolean
                       appArmorRawRules:
                         description: AppArmorRawRules is used to set native AppArmor
                           rules, each rule must end with a comma

diff --git a/docs/getting_started/interface_specification.md b/docs/getting_started/interface_specification.md
@@ -19,6 +19,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 |      ||syscallRawRules<br />*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/[email protected]/specs-go#LinuxSyscall) array*|Optional. SyscallRawRules is used to set the custom syscalls blocklist rules with Seccomp enforcer. Please refer to [this document](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) to create custom rules.|
 |      ||privileged<br />*bool*|Optional. Privileged is used to identify whether the policy is for the privileged container. If set to false, vArmor will build AppArmor or BPF profiles on top of the **RuntimeDefault** mode. Otherwise, it will build AppArmor or BPF profiles on top of the **AlwaysAllow** mode. (Default: false)<br /><br />Note: If set to true, vArmor will not build Seccomp profile for the target workloads.|
 |      ||auditViolations<br />*bool*|Optional. AuditViolations determines whether to audit the actions that violate the mandatory access control rules. Currently, this feature supports AppArmor and BPF enforcers. Any detected violation will be logged to `/var/log/varmor/violations.log` file in the host. (Default: false)|
+|      ||allowViolations<br />*bool*|Optional. AllowViolations determines whether to allow the actions that are against the mandatory access control rules. Currently, this feature supports AppArmor and BPF enforcers. Any detected violation will be allowed instead of being blocked. (Default: false)|
 |      |modelingOptions|duration<br />*int*|[Experimental] Duration is the duration in minutes to modeling. |
 |updateExistingWorkloads<br />*bool*|-|-|Optional. UpdateExistingWorkloads is used to indicate whether to perform a rolling update on target existing workloads, thus enabling or disabling the protection of the target workloads when policies are created or deleted. (Default: false)<br /><br />Note: vArmor only performs a rolling update on Deployment, StatefulSet, or DaemonSet type workloads. If `.spec.target.kind` is Pod, you need to rebuild the Pod yourself to enable or disable protection.|
 |      ||PLACEHOLDER_PLACEHOD|

diff --git a/docs/getting_started/interface_specification.zh_CN.md b/docs/getting_started/interface_specification.zh_CN.md
@@ -18,7 +18,8 @@
 |      ||bpfRawRules<br />*[BpfRawRules](#bpfrawrules)*|可选字段。用于支持用户设置自定义的 BPF 黑名单规则。|
 |      ||syscallRawRules<br />*[LinuxSyscall](https://pkg.go.dev/github.com/opencontainers/[email protected]/specs-go#LinuxSyscall) array*|可选字段。用于支持用户使用 Seccomp enforcer 设置自定义的 Syscall 黑名单规则。请参考 [此文档](https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#seccomp) 创建自定义规则。|
 |      ||privileged<br />*bool*|可选字段。当对特权容器进行加固，请务必将此值设置为 true。若为 false，将在 **RuntimeDefault** 模式的基础上构造 AppArmor/BPF Profiles。若为 ture，则在 **AlwaysAllow** 模式的基础上构造 AppArmor/BPF Profiles。<br /><br />注意：当为 true 时，vArmor 不会为目标构造 Seccomp Profiles。（默认值：false）|
-|      ||auditViolations<br />*bool*|可选字段. 用于审计违反沙箱策略的行为。此特性当前支持 AppArmor 和 BPF enforcers，任何违反沙箱策略的行为都会被记录到宿主机的 `/var/log/varmor/violations.log` 文件中。（默认值：false）|
+|      ||auditViolations<br />*bool*|可选字段。用于审计违反沙箱策略的行为。此特性当前支持 AppArmor 和 BPF enforcers，任何违反沙箱策略的行为都会被记录到宿主机的 `/var/log/varmor/violations.log` 文件中。（默认值：false）|
+|      ||allowViolations<br />*bool*|可选字段。放行违反沙箱策略的行为。此特性当前支持 AppArmor 和 BPF enforcers，任何违反沙箱策略的行为都不会被拦截。（默认值：false）|
 |      |modelingOptions|duration<br />*int*|动态建模的时间。（单位：分钟）[实验功能]|
 |updateExistingWorkloads<br />*bool*|-|-|可选字段。用于指定是否对符合条件的工作负载进行滚动更新，从而在 Policy 创建或删除时，对目标工作负载开启或关闭防护。（默认值：false）<br /><br />注意：vArmor 只会对 Deployment、StatefulSet、DaemonSet 类型的工作负载进行滚动更新，如果 `.spec.target.kind` 为 Pod，需要您自行重建 Pod 来开启或关闭防护。|
 |      ||PLACEHOLDER_PLACEHOLD|

diff --git a/internal/agent/agent.go b/internal/agent/agent.go
@@ -151,8 +151,14 @@ func NewAgent(
 	})
 
 	go func() {
-		if err := r.Run(fmt.Sprintf(":%d", varmorconfig.AgentServicePort)); err != nil {
-			log.Error(err, "fatal error: agent service failed to start")
+		if inContainer {
+			if err := r.Run(fmt.Sprintf(":%d", varmorconfig.AgentServicePort)); err != nil {
+				log.Error(err, "fatal error: agent service failed to start")
+			}
+		} else {
+			if err := r.Run(":6080"); err != nil {
+				log.Error(err, "fatal error: agent service failed to start")
+			}
 		}
 	}()