Cyber security

vArmor : Enhancing Container Security In Cloud-Native Environments

vArmor is a cloud-native container sandbox system. It leverages Linux’s AppArmor LSMBPF LSM and Seccomp technologies to implement enforcers.

It can be used to strengthen container isolation, reduce the kernel attack surface, and increase the difficulty and cost of container escape or lateral movement attacks.

You can leverage vArmor in the following scenarios to provide sandbox protection for containers within a Kubernetes cluster.

  • In multi-tenant environments, hardware-virtualized container solutions cannot be employed due to factors such as cost and technical conditions.
  • When there is a need to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move.
  • When high-risk vulnerabilities are present, but immediate remediation is not possible due to the difficulty or lengthy process of patching. vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation.

vArmor Features:

  • Cloud-native. vArmor follows the Kubernetes Operator design pattern, allowing users to harden specific workloads by manipulating the CRD API.
    • This approach enables sandboxing of containerized microservices from a perspective closely aligned with business needs.
  • Supports the use of AppArmor, BPF, Seccomp enforcer individually or in combination, enforcing mandatory access control on container file access, process execution, network outbound, syscall, and more.
  • Supports the Allow by Default security model, in which only behaviors explicitly declared will be blocked, thus minimize performance impact and enhancing usability.
  • Supports behavior modeling, and provides protection based on behavior models, meaning only behaviors explicitly declared are permitted.
  • Ready to use out of the box. vArmor includes multiple built-in rules for direct use.

vArmor was created by the Elkeid Team of the endpoint security department at ByteDance. And the project is still in active development.

Note: To meet stringent isolation requirements, it is advisable to give priority to utilizing hardware-virtualized containers (e.g., Kata Containers) for compute isolation, in conjunction with network isolation provided by CNI’s NetworkPolicy.

Prerequisites

You can specify the enforcer through the spec.policy.enforcer field of policy objects (VarmorPolicy/VarmorClusterPolicy). In addition, you can also use different enforcers individually or in combination, such as: AppArmorBPF, AppArmorSeccomp, AppArmorBPFSeccomp etc.

The prerequisites required by different enforcers are as shown in the following table.

EnforcerRequirementsRecommendations
AppArmor1. Linux Kernel 4.15 and above
2. The AppArmor LSM is enabled
GKE with Container-Optimized OS
AKS with Ubuntu 22.04 LTS
VKE with veLinux 1.0
Debian 10 and above
Ubuntu 18.04.0 LTS and above
veLinux 1.0 etc.
BPF1. Linux Kernel 5.10 and above (x86_64)
2. containerd v1.6.0 and above
3. The BPF LSM is enabled
EKS with Amazon Linux 2
GKE with Container-Optimized OS
VKE with veLinux 1.0 (with 5.10 kernel)
AKS with Ubuntu 22.04 LTS *
ACK with Alibaba Cloud Linux 3 *
OpenSUSE 15.4 *
Debian 11 *
Fedora 37
veLinux 1.0 with 5.10 kernel etc.

* Manual enabling of BPF LSM is required
Seccomp1. Kubernetes v1.19 and aboveAll Linux distributions

The Policy Modes And Built-In Rules

The vArmor policy can operate in five modes: AlwaysAllow, RuntimeDefault, EnhanceProtect, BehaviorModeling and DefenseInDepth.

When the policy is running in EnhanceProtect mode, built-in rules and custom interfaces can be used to harden the container.

For more information, please refer to Policy Modes and Built-in Rules.

For more information click here.

Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

cp Command: Copy Files and Directories in Linux

The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…

5 days ago

Image OSINT

Introduction In digital investigations, images often hold more information than meets the eye. With the…

5 days ago

cat Command: Read and Combine File Contents in Linux

The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…

5 days ago

Port In Networking

What is a Port? A port in networking acts like a gateway that directs data…

5 days ago

ls Command: List Directory Contents in Linux

The ls command is fundamental for anyone working with Linux. It’s used to display the files and…

6 days ago

pwd Command: Find Your Location in Linux

The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…

6 days ago