docs: Document the data persistence and data import features

Author: Danny-Wei

docs/getting_started/interface_specification.md

@@ -165,7 +165,7 @@ English | [简体中文](interface_specification.zh_CN.md)
 
 | Field | Description |
 |-------|-------------|
-|duration<br />*int*| Duration is the duration in minutes to modeling. |
+|duration<br />*int*| Duration is the duration in minutes for modeling. The modeling duration starts from the moment the policy is created and is only valid if the current time is earlier than the expected modeling completion time. This field supports dynamic adjustment, which can be used to end modeling early, extend the modeling duration, or restart modeling, and its value cannot be zero. |
 
 ## DefenseInDepth
 

docs/getting_started/interface_specification.zh_CN.md

@@ -165,7 +165,7 @@
 
 | 字段 | 描述 |
 |-----|------|
-|duration<br />*int*| Duration 是行为建模所需的分钟数。|
+|duration<br />*int*| Duration 是建模的时长（以分钟为单位）。建模时长从策略创建时刻开始计算，仅当当前时间早于预期建模完成时间时有效。该字段支持动态调整，可用于尽早结束建模、延长建模时间或重新启动建模，且取值不能为零。|
 
 ## DefenseInDepth
 

docs/guides/policies_and_rules/policy_modes/behavior_modeling.md

@@ -32,7 +32,7 @@ The requirements for the BehaviorModeling mode are as follows.
 
     * *The **varmor-agent** requires additional resources as shown below when the BehaviorModeling feature is enabled. Another component, the **varmor-classifier**, which is used to identify random patterns in the path, will also be deployed.*
 
-      ```
+      ```yaml
       resources:
         limits:
           cpu: 2
@@ -157,11 +157,19 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 * The **BehaviorModeling** mode can only be switched to other modes after the modeling is completed.
 * When switching to **BehaviorModeling** mode from other modes or when the modeling has already been completed, you need to update the modeling duration and restart the target workload to restart the modeling process.
 
-### Data Export
+### Data Persistence
+
+The modeling results will be saved by the manager into the ArmorProfileModel object. 
+
+When the behavior data is too large, the manager will persist it to the local disk and set the `storageType` field to `LocalDisk`. By default, the manager uses an `emptyDir` volume with a storage space of **500Mi** to persist the modeling results.
 
-You can export the behavior data and profiles of the target workloads for other purposes. For example, use [Policy Advisor](../../policy_advisor.md) to analyze which built-in rules can be used to enforce the target workloads, guide users to minimize permissions for the security context of the workload based on the behavior data, etc.
+You can enable the use of a persistent volume to store the modeling results by using the `--set manager.behaviorModeling.usePersistentVolume=true` option. Before enabling the persistent volume, please make sure that a PVC named **varmor-manager-apmdata-pvc** has been created in the namespace where the manager is located.
 
-Different storage types have different methods for exporting ArmorProfileModel objects:
+### Data Export and Import
+
+You can export the behavior data and profiles of the target workload for other purposes. For example, use [Policy Advisor](../../policy_advisor.md) to analyze which built-in rules can be used to harden the target application, and guide users to minimize the permissions of the security context of the workload based on the behavior data. You can also import the exported data into other clusters for exported data into other clusters for use.
+
+The methods for exporting and importing ArmorProfileModel objects of different storage types are different:
 
   * **CRDInternal**
 
@@ -170,16 +178,22 @@ Different storage types have different methods for exporting ArmorProfileModel o
       ```bash
       kubectl get ArmorProfileModel -n demo varmor-demo-demo-4 -o json > varmor-demo-demo-4.json
       ```
+    
+    - Import directly using kubectl
+
+      ```bash
+      kubectl apply -f varmor-demo-demo-4.json
+      ```
 
   * **LocalDisk**
 
-    - Forward local port 8080 to port 8080 of the cluster varmor-state-svc Service
+    - Forward local port 8080 to port 8080 of the cluster `varmor-state-svc` Service
 
       ```bash
       kubectl port-forward -n varmor service/varmor-status-svc 8080:8080
       ```
 
-    - Request a ServiceAccount token of varmor-manager
+    - Obtain the ServiceAccount token with read and write permissions for the armorprofilemodels resource. Here, use the ServiceAccount token of varmor-manager.
 
       ```bash
       token=$(kubectl create token varmor-manager -n varmor)
@@ -189,9 +203,22 @@ Different storage types have different methods for exporting ArmorProfileModel o
 
       ```bash
       curl -k -X GET \
-        -H 'Authorization: Bearer $token' \
+        -H "Authorization: Bearer $token" \
         https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 > varmor-demo-demo-4.json
       ```
+    
+    - Access the `/apis/crd.varmor.org/v1beta1/namespaces/{namespace}/armorprofilemodels/{name}` interface to import data
+
+      If there is already an ArmorProfileModel object with the same name in the namespace of the cluster, the behavior data will be merged and the profiles will be overwritten.
+
+      ```bash
+      curl -k \
+          -X POST https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 \
+          -H "Authorization: Bearer $token" \
+          -H "Accept: application/json" \
+          -H "Content-Type: application/json" \
+          -d @varmor-demo-demo-4.json
+      ```
 
 ## Use Case
 

docs/guides/policies_and_rules/policy_modes/behavior_modeling.zh_CN.md

@@ -32,7 +32,7 @@ BehaviorModeling 模式的前置条件如下所示：
 
     * *启用 BehaviorModeling 特性时，**varmor-agent** 需要如下所示的追加资源。另外，**varmor-classifier** 组件也会被部署，用于识别路径中的随机字符串。*
 
-      ```
+      ```yaml
       resources:
         limits:
           cpu: 2
@@ -156,11 +156,19 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 * 不支持将 BehaviorModeling 模式的策略切换为其他模式，反之亦然。您需要删除策略后重新创建策略才可切换。
 * 建模完成后，不支持修改策略的建模时长。您需要删除策略后重新创建策略才可以重新开始建模，但已有的行为数据会被保留。
 
-### 数据导出
+### 数据持久化
+
+建模结果会被 manager 保存到 ArmorProfileModel 对象中。
+
+当行为数据过大时，manager 会将其持久化到本次磁盘，并将 `storageType` 字段设置为 `LocalDisk`。
+
+默认情况下，manager 使用存储空间为 **500Mi** 的 `emptyDir` 卷来存储建模结果。您可以通过 `--set manager.behaviorModeling.usePersistentVolume=true` 选项启用使用持久化卷存储建模结果。启用持久卷前，请确保 manager 所在命名空间中已创建了名为 varmor-manager-apmdata-pvc 的 PVC。
 
-您可以将目标负载的行为数据和 Profiles 导出用于其他目的。例如：使用 [策略顾问](../../policy_advisor.zh_CN.md) 分析哪些内置规则能够被用于加固目标应用，基于行为数据指导用户对工作负载的安全上下文进行权限最小化等。
+### 数据导出与导入
 
-不同存储类型的 ArmorProfileModel 对象导出方法不同：
+您可以将目标负载的行为数据和 Profiles 导出用于其他目的。例如：使用[策略顾问](../../policy_advisor.md)分析哪些内置规则能够被用于加固目标应用，基于行为数据指导用户对工作负载的安全上下文进行权限最小化等。您还可以将导出的数据导入到其他集群中进行使用。
+
+不同存储类型的 ArmorProfileModel 对象导出与导入方法不同：
 
   * **CRDInternal**
 
@@ -169,16 +177,22 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
       ```bash
       kubectl get ArmorProfileModel -n demo varmor-demo-demo-4 -o json > varmor-demo-demo-4.json
       ```
+    
+    - 直接使用 kubectl 导入
+
+      ```bash
+      kubectl apply -f varmor-demo-demo-4.json
+      ```
 
   * **LocalDisk**
 
-    - 将本地端口 8080 转发到集群 varmor-status-svc Service 的 8080 端口
+    - 将本地端口 8080 转发到集群 `varmor-status-svc` Service 的 8080 端口
 
       ```bash
       kubectl port-forward -n varmor service/varmor-status-svc 8080:8080
       ```
 
-    - 获取 varmor-manager 的 ServiceAccount token
+    - 获取具有 armorprofilemodels 资源读写权限的 ServiceAccount token。这里使用 varmor-manager 的 ServiceAccount token。
 
       ```bash
       token=$(kubectl create token varmor-manager -n varmor)
@@ -188,9 +202,22 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 
       ```bash
       curl -k -X GET \
-        -H 'Authorization: Bearer $token' \
+        -H "Authorization: Bearer $token" \
         https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 > varmor-demo-demo-4.json
       ```
+    
+    - 访问 `/apis/crd.varmor.org/v1beta1/namespaces/{namespace}/armorprofilemodels/{name}` 接口导入数据
+
+      如果集群的命名空间中已经有同名的 ArmorProfileModel 对象，那么行为数据会被合并，Profiles 会被覆盖。
+
+      ```bash
+      curl -k \
+          -X POST https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 \
+          -H "Authorization: Bearer $token" \
+          -H "Accept: application/json" \
+          -H "Content-Type: application/json" \
+          -d @varmor-demo-demo-4.json
+      ```
 
 ## 示例
 

website/docs/getting_started/interface_specification.md

@@ -168,7 +168,7 @@ description: The interface specification of vArmor.
 
 | Field | Description |
 |-------|-------------|
-|duration<br />*int*| Duration is the duration in minutes to modeling. |
+|duration<br />*int*| Duration is the duration in minutes for modeling. The modeling duration starts from the moment the policy is created and is only valid if the current time is earlier than the expected modeling completion time. This field supports dynamic adjustment, which can be used to end modeling early, extend the modeling duration, or restart modeling, and its value cannot be zero. |
 
 ## DefenseInDepth
 

website/docs/guides/policies_and_rules/policy_modes/behavior_modeling.md

@@ -169,11 +169,19 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 * The **BehaviorModeling** mode can only be switched to other modes after the modeling is completed.
 * When switching to **BehaviorModeling** mode from other modes or when the modeling has already been completed, you need to update the modeling duration and restart the target workload to restart the modeling process.
 
-### Data Export
+### Data Persistence
 
-You can export the behavior data and profiles of the target workloads for other purposes. For example, use [Policy Advisor](../../policy_advisor.md) to analyze which built-in rules can be used to enforce the target workloads, guide users to minimize permissions for the security context of the workload based on the behavior data, etc.
+The modeling results will be saved by the manager into the ArmorProfileModel object. 
 
-Different storage types have different methods for exporting ArmorProfileModel objects:
+When the behavior data is too large, the manager will persist it to the local disk and set the `storageType` field to `LocalDisk`.
+
+By default, the manager uses an `emptyDir` volume with a storage space of **500Mi** to persist the modeling results. You can enable the use of a persistent volume to store the modeling results by using the `--set manager.behaviorModeling.usePersistentVolume=true` option. Before enabling the persistent volume, please make sure that a PVC named **varmor-manager-apmdata-pvc** has been created in the namespace where the manager is located.
+
+### Data Export and Import
+
+You can export the behavior data and profiles of the target workload for other purposes. For example, use [Policy Advisor](../../policy_advisor.md) to analyze which built-in rules can be used to harden the target application, and guide users to minimize the permissions of the security context of the workload based on the behavior data. You can also import the exported data into other clusters for exported data into other clusters for use.
+
+The methods for exporting and importing ArmorProfileModel objects of different storage types are different:
 
   * **CRDInternal**
 
@@ -182,16 +190,22 @@ Different storage types have different methods for exporting ArmorProfileModel o
       ```bash
       kubectl get ArmorProfileModel -n demo varmor-demo-demo-4 -o json > varmor-demo-demo-4.json
       ```
+    
+    - Import directly using kubectl
+
+      ```bash
+      kubectl apply -f varmor-demo-demo-4.json
+      ```
 
   * **LocalDisk**
 
-    - Forward local port 8080 to port 8080 of the cluster varmor-state-svc Service
+    - Forward local port 8080 to port 8080 of the cluster `varmor-state-svc` Service
 
       ```bash
       kubectl port-forward -n varmor service/varmor-status-svc 8080:8080
       ```
 
-    - Request a ServiceAccount token of varmor-manager
+    - Obtain the ServiceAccount token with read and write permissions for the armorprofilemodels resource. Here, use the ServiceAccount token of varmor-manager.
 
       ```bash
       token=$(kubectl create token varmor-manager -n varmor)
@@ -201,9 +215,22 @@ Different storage types have different methods for exporting ArmorProfileModel o
 
       ```bash
       curl -k -X GET \
-        -H 'Authorization: Bearer $token' \
+        -H "Authorization: Bearer $token" \
         https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 > varmor-demo-demo-4.json
       ```
+    
+    - Access the `/apis/crd.varmor.org/v1beta1/namespaces/{namespace}/armorprofilemodels/{name}` interface to import data
+
+      If there is already an ArmorProfileModel object with the same name in the namespace of the cluster, the behavior data will be merged and the profiles will be overwritten.
+
+      ```bash
+      curl -k \
+          -X POST https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 \
+          -H "Authorization: Bearer $token" \
+          -H "Accept: application/json" \
+          -H "Content-Type: application/json" \
+          -d @varmor-demo-demo-4.json
+      ```
 
 ## Use Case
 

website/i18n/zh-cn/docusaurus-plugin-content-docs/current/getting_started/interface_specification.md

@@ -168,7 +168,7 @@ description: vArmor 的接口规范。
 
 | 字段 | 描述 |
 |-----|------|
-|duration<br />*int*| Duration 是行为建模所需的分钟数。|
+|duration<br />*int*| Duration 是建模的时长（以分钟为单位）。建模时长从策略创建时刻开始计算，仅当当前时间早于预期建模完成时间时有效。该字段支持动态调整，可用于尽早结束建模、延长建模时间或重新启动建模，且取值不能为零。|
 
 ## DefenseInDepth
 

website/i18n/zh-cn/docusaurus-plugin-content-docs/current/guides/policies_and_rules/policy_modes/behavior_modeling.md

@@ -46,7 +46,6 @@ BehaviorModeling 模式的前置条件如下所示：
   ```
 :::
 
-
 ## 使用说明
 
 ### 基本用法
@@ -169,11 +168,19 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 * 建模完成后，方可将 **BehaviorModeling** 切换为其他模式。
 * 从其他模式切换到 **BehaviorModeling** 或建模已经完成时，您需要更新建模时长并重启目标工作负载，以重新启动行为建模过程。
 
-### 数据导出
+### 数据持久化
+
+建模结果会被 manager 保存到 ArmorProfileModel 对象中。
+
+当行为数据过大时，manager 会将其持久化到本次磁盘，并将 `storageType` 字段设置为 `LocalDisk`。
+
+默认情况下，manager 使用存储空间为 **500Mi** 的 `emptyDir` 卷来存储建模结果。您可以通过 `--set manager.behaviorModeling.usePersistentVolume=true` 选项启用使用持久化卷存储建模结果。启用持久卷前，请确保 manager 所在命名空间中已创建了名为 varmor-manager-apmdata-pvc 的 PVC。
 
-您可以将目标负载的行为数据和 Profiles 导出用于其他目的。例如：使用 [策略顾问](../../policy_advisor.md) 分析哪些内置规则能够被用于加固目标应用，基于行为数据指导用户对工作负载的安全上下文进行权限最小化等。
+### 数据导出与导入
 
-不同存储类型的 ArmorProfileModel 对象导出方法不同：
+您可以将目标负载的行为数据和 Profiles 导出用于其他目的。例如：使用[策略顾问](../../policy_advisor.md)分析哪些内置规则能够被用于加固目标应用，基于行为数据指导用户对工作负载的安全上下文进行权限最小化等。您还可以将导出的数据导入到其他集群中进行使用。
+
+不同存储类型的 ArmorProfileModel 对象导出与导入方法不同：
 
   * **CRDInternal**
 
@@ -182,16 +189,22 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
       ```bash
       kubectl get ArmorProfileModel -n demo varmor-demo-demo-4 -o json > varmor-demo-demo-4.json
       ```
+    
+    - 直接使用 kubectl 导入
+
+      ```bash
+      kubectl apply -f varmor-demo-demo-4.json
+      ```
 
   * **LocalDisk**
 
-    - 将本地端口 8080 转发到集群 varmor-status-svc Service 的 8080 端口
+    - 将本地端口 8080 转发到集群 `varmor-status-svc` Service 的 8080 端口
 
       ```bash
       kubectl port-forward -n varmor service/varmor-status-svc 8080:8080
       ```
 
-    - 获取 varmor-manager 的 ServiceAccount token
+    - 获取具有 armorprofilemodels 资源读写权限的 ServiceAccount token。这里使用 varmor-manager 的 ServiceAccount token
 
       ```bash
       token=$(kubectl create token varmor-manager -n varmor)
@@ -201,9 +214,22 @@ demo        varmor-cluster-demo-demo-4   CRDInternal    2         2           tr
 
       ```bash
       curl -k -X GET \
-        -H 'Authorization: Bearer $token' \
+        -H "Authorization: Bearer $token" \
         https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 > varmor-demo-demo-4.json
       ```
+    
+    - 访问 `/apis/crd.varmor.org/v1beta1/namespaces/{namespace}/armorprofilemodels/{name}` 接口导入数据
+
+      如果集群的命名空间中已经有同名的 ArmorProfileModel 对象，那么行为数据会被合并，Profiles 会被覆盖。
+
+      ```bash
+      curl -k \
+          -X POST https://localhost:8080/apis/crd.varmor.org/v1beta1/namespaces/demo/armorprofilemodels/varmor-demo-demo-4 \
+          -H "Authorization: Bearer $token" \
+          -H "Accept: application/json" \
+          -H "Content-Type: application/json" \
+          -d @varmor-demo-demo-4.json
+      ```
 
 ## 示例
 

website/i18n/zh-cn/docusaurus-plugin-content-docs/version-v0.8/getting_started/interface_specification.md

@@ -168,7 +168,7 @@ description: vArmor 的接口规范。
 
 | 字段 | 描述 |
 |-----|------|
-|duration<br />*int*| Duration 是行为建模所需的分钟数。|
+|duration<br />*int*| Duration 是建模的时长（以分钟为单位）。建模时长从策略创建时刻开始计算，仅当当前时间早于预期建模完成时间时有效。该字段支持动态调整，可用于尽早结束建模、延长建模时间或重新启动建模，且取值不能为零。|
 
 ## DefenseInDepth