[Feature] Consider Adding the Feature to Dynamically Remove BPF Enforcer #99
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We should consider supporting the dynamic removal of the BPF enforcer. This would help provide more intervention methods to mitigate issues like #97.
Describe the solution you'd like
Starting from v0.5.9, vArmor supports dynamically adding enforcers to policies. This allows users to enable corresponding enforcer's rules for new workloads without needing to recreate policies, while not affecting the existing workloads.
Considering the particularities of AppArmor & Seccomp enforcers, vArmor does not allow users to dynamically remove enforcers, as this would impact the existing workloads (especially those pods created by an operator). However, the BPF enforcer is not subject to this restriction. We should consider supporting users to update the existing policies to remove the BPF enforcer.
Describe alternatives you've considered
Of course, people can still mitigate similar issues by switching the policy to
AlwaysAllowmode.The text was updated successfully, but these errors were encountered: