v0.9.0

Features

• Enabled enforce/complain modes for BPF enforcer profiles to align with AppArmor (#250)
• Added BehaviorModeling mode support to the BPF enforcer (#250)
• Added an operation field to violation logs generated by the BPF enforcer (#250)
• Renamed the eventType field in violation logs to enforcer (#250)
• Added a qualifiers field to the BPF enforcer's custom rule interfaces (#257)
• Added shorthand forms for supported mount flags in the BPF enforcer, aligning with AppArmor (#250)
• Enabled policy-advisor to generate policy templates using BPF enforcer behavior data (#261)

Refactors

• Renamed profile and dynamic result fields in CRD (#255)
• Standardized all Seccomp violation logs to use the AUDIT|ALLOWED action (#253)
• Adjusted all violation logs to be recorded at the warn level (#263)
• Removed zerolog time format configuration from JSON log format setup (#266)
• Standardized indentation for all AppArmor rules to improve readability (#265)
• Dependency upgrades: Updated Go to 1.24 and the ebpf package to v0.19.0 (#250)
• Updated base image and environment variables in the Dockerfile (#250, #251)

Fixes

• Fixed profile generation logic of BPF enforcer to use correct rule pattern constants (#252)
• Addressed potential null pointer references during BPF event conversion (#254)

v0.9.0-beta.2

refactor: Remove zerolog time format configuration (#266)

v0.9.0-beta.1

Merge pull request #263 from bytedance/unify-violations-level

 Unify Violation Logs to Warn Level for Consistent Logging

v0.9.0-alpha.1

Merge pull request #261 from bytedance/policy-advisor-use-bpf-data

Refactor Policy Advisor to Use BPF Behavioral Data

v0.8.2

Features

• Mode Switching Enhancement. Allow mutual conversion between all modes. (#238)
• Update Seccomp profile to AlwaysAllow post-behavior modeling (#240)
• Add ArmorProfileModel Import API (#242)
• Add Persistent Volume Support for LocalDisk ArmorProfileModel Data (#243)

Refactors

• Refactor webhook config generation for modularity and reduced redundancy (#241)
• Improve Audit Event Filtering Accuracy with Profile Names and Mount Namespace IDs (#245)

Full Changelog: v0.8.1...v0.8.2

v0.8.1

Features

• Added the block-access-to-container-runtime built-in rule
• Injected the accountID, region, clusterID, etc. fields into the component logs if they are configured with the auditEventMetadata values
• Injected the namespace where the vArmor is deployed into the violation logs
• Added container image to the violation logs

Refactors

• Patched leader pod with pod name
• Passed service ports through environment variables
• Made the state feedback logic of the agent clearer

Fixes

• Ensured that integers in the auditEventMetadata values can be output to the logs

Full Changelog: v0.8.0...v0.8.1

v0.8.0

vArmor v0.8.0 has been released. For a comprehensive overview of the new features, refer to our blog.

Added

• Added a self-hosted runner and e2e test cases for the BPF enforcer (#205)
• Supported defining multiple ports and port ranges for network egress rules (#202)
• Added PodServiceEgressControl feature for restricting access to pods and services (#206, #216, #217, #221)
• Added a pod-self entity to restrict containers from accessing the IP of the Pod they are located in (#207)
• Added an unspecified entity to restrict containers from accessing the 0.0.0.0 and :: (#208)
• Added a localhost entity to restrict containers from accessing the loopback address (#209)
• Enhanced DefenseInDepth mode with flexible profile sources and observation support (#210)
• Extracted profile name from the Pod annotation and added it to the violation event for improved log traceability (#210)
• Supported injecting metadata into the violation event (#214)
• Supported BPF enforcer removal from existing policies (#213)
• Added the block-access-to-kube-apiserver built-in rule (#222)
• Added the ingress-nightmare-mitigation built-in rule (#222)

Changed

• Saved AppArmor and Seccomp profiles as plain text into the CR object (#201)
• Enhanced concurrency safety for status synchronization (#201)
• Extracted common fields from CRD definitions into a common file (#210)
• Upgraded libseccomp-golang to v0.11.0 (#210)
• Improved error handling in ArmorProfile processing to collect all profile errors (#212)
• Set default qps and burst values for Kubernetes client (#218)
• Increased the value of MaxTargetContainerCountForBpfLsm from 100 to 110 (#207)

Full Changelog: v0.7.1...v0.8.0

release v0.8.0-beta.1

Merge pull request #211 from bytedance/update-docs

Update the documentation for version 0.8

release v0.8.0-alpha2

Merge pull request #214 from bytedance/inject-metadata-to-audit-event

feat: Add Custom Metadata Injection to Audit Events