release v0.7.0

What's Changed

Added

• Added an AllowViolations field to the VarmorPolicy and VarmorClusterPolicy CRD.
• Supported the observation mode for AppArmor, BPF and Seccomp enforcers.
• Logged the violation events that are not blocked into the violations.log file at debug level.
• Added a StorageType field to the ArmorProfileModel CRD.
• Added a STORAGE-TYPE field to the additional printer columns of the ArmorProfileModel resources to provide more detailed information when viewing the resources via the kubectl command-line tool.
• Mounted an emptyDir data volume to the agent and the manager when the behavior modeling feature is enabled.
• Manager saves the behavior data and profiles into a local file within the data volume when the ArmorProfileModel object exceeds the limit.
• Agent caches the audit data in the data volume during modeling.
• Supported exporting the complete ArmorProfileModel object from the interface of the manager.
• All interfaces of the manager are exposed at the /apis path.
• Added a --logFormat command-line option and allowed outputting logs in JSON format.
• Modified the AppArmorRawRules structure of the VarmorPolicy and VarmorClusterPolicy CRD to support setting custom rules for specific executable files.
• Forced agents to update profiles whose status did not meet the expected criteria periodically.
• Loaded the profiles from the local file if the StorageType field of ArmorProfileModel object is LocalDisk when the policy is running in DefenseInDepth mode.
• Added a --set jsonLogFormat.enabled=true option for switching log format to JSON.

Fixed

• Agent exposed the readinessProbe on port 6080 by default if it was not in a container.
• Accessed the classifier through the varmor-classifier-svc service when the agent was running in a container.
• Increased the wait time for timeout retry.
• Switched log level from 3 to 2 for tracing.

Full Changelog: v0.6.3...v0.7.0

release v0.7.0-alpha2

Release 0.7.0-alpha2

release v0.7.0-alpha1

Release 0.7.0-alpha1

release v0.7.0-beta3

Release 0.7.0-beta3

release v0.6.3

What's Changed

• Added the disallow-load-bpf-via-setsockopt built-in rule for Seccomp enforcer.
• Added the disallow-userfaultfd-creation built-in rule for Seccomp enforcer.
• Increased wait time on timeout retry for status report.

Full Changelog: v0.6.2...v0.6.3

release v0.7.0-beta2

chore: Switch log level from 3 to 2 for tracing

release v0.7.0-beta1

Update libseccomp to v2.6.0

release v0.6.2

What's Changed

• Added child's mnt ns id into monitor list if it's in a new mnt namespace during behavior modeling.
• Return directly when the behavior data is too large.
• Added a debug flag to control whether to generate the debug files for behavior modeling.
• Added the disallow-load-all-bpf-prog rule for Seccomp enforcer to prohibit loading any types of eBPF programs.
• Fixed: Create varmor-classifier-svc service in the namespace where varmor is installed

Full Changelog: v0.6.1...v0.6.2

release v0.6.1

What's Changed

• fixed: Always render the agent environment variables
• Upgrade the net package to fix CVE-2024-45338

Full Changelog: v0.6.0...v0.6.1

release v0.6.0

What's Changed

• feat: Adapt AppArmor enforcer for K8s v1.30 and above
• feat: Add monitoring metrics and support integration with Prometheus and Grafana
• feat: Support violation auditing feature for BPF enforcer
• feat: Enrich the violation audit logs of the BPF enforcer to include container and pod information
• feat: Integrate the violation auditing features of AppArmor and BPF enforcer
• feat: Unify the audit event format of AppArmor and BPF enforcers, and save the audit events into /var/log/varmor/violations.log
• feat: Support enforcing access control on socket creation for BPF enforcer.
• feat: Support wildcard for all bpf permissions and flags.
• feat: Add new networking built-in rules for BPF and AppArmor enforcer
• feat: Run agent in an unprivileged container
• feat: Allow running the agent in host's network namespace
• refactor: Abstract the processtracer and auditor modules to collect events for behavior modeling and violation auditing features
• refactor: Refactor behavior modeling and violation auditing features, no longer dependent on syslog or auditd, and no manual configuration required.
• refactor: Change fields in CRD from objects to pointers
• refactor: Integrate the logic of updating policy objects
• Auto adjust GOMAXPROCS for container limit
• Pass node name and readiness port to agent via environment variable
• Standardize the name of UserAgent
• Added version flag
• Added helm configuration options for new features
• fixed: Remove the finalizers of zombie ArmorProfile object
• fixed: Always retry for object updates if a conflict occurs
• fixed: The child profile should inherit rules from parent without attack protection rules
• fixed: Output error information when the agent service start fails
• docs: Further improve the repo documentation
• website: Official website launched (https://varmor.org)

New Contributors

• @eltociear made their first contribution in #104

Full Changelog: v0.5.11...v0.6.0