Security profiles
A security profile can be described as an allowlist for your application. All files, signals, and capabilities that are not explicitly allowed are denied. The security profile is based on your application’s behavior during audit mode.
Usage
There are two ways to create a security profile:
- Kubernetes (recommended)
- Making an API call to the bifrost API
Kubernetes
Set profile.bifrost.com/mode to complain or enforce to let bifrost apply profiles to your pods.
Same profile for all pods
When profile.bifrost.com/name is set, bifrost will ensure all pods have the same profile. If there is an existing
profile with the name for your service, it will be used. Otherwise, a new profile will be created.
New profiles on demand
If you want a new profile each time a pod is created, you can omit the profile.bifrost.com/name annotation to get new
profiles on demand that are tailored to the application’s latest behavior.
API
If you want to create a profile ahead of deploying your application, you can make an API call to the bifrost API.
First, create an <API_TOKEN> in the bifrost portal. This is created on the organization level and is different from
the
agent key. Then, use the following curl command to generate a security profile. Replace <SERVICE_NAME> with the name
of your service and <SERVICE_VERSION> with the version of your service.
curl -X POST "https://portal.bifrostsec.comapi/v2/service/<SERVICE_NAME>/version/<SERVICE_VERSION>/profile" -H "Authorization: Bearer <API_TOKEN>"This will return a profile name that you can use in the profile.bifrost.com/name annotation.
GitHub Action
generate-profile-action is a GitHub Action that can be used to make the API call to generate a security profile. See usage instructions in the repository.