Security profiles
A security profile can be described as an allowlist for your application. All files, signals, and capabilities that are not explicitly allowed are denied. The security profile is based on your application’s behavior during audit mode.
There are two ways to create a security profile:
- Kubernetes (recommended)
- Making an API call to the bifrost API
Kubernetes
Section titled “Kubernetes”Set profile.bifrost.com/mode to complain or enforce to let bifrost apply profiles to your pods.
Same profile for all pods
Section titled “Same profile for all pods”When profile.bifrost.com/name is set, bifrost will ensure all pods have the same profile. If there is an existing
profile with the name for your service, it will be used. Otherwise, a new profile will be created.
New profiles on demand
Section titled “New profiles on demand”If you want a new profile each time a pod is created, you can omit the profile.bifrost.com/name annotation to get new
profiles on demand that are tailored to the application’s latest behavior.
If you want to create a profile ahead of deploying your application, you can make an API call to the bifrost API.
First, create an <API_TOKEN> in the bifrost portal. This is created on the organization level and is different from
the
agent key. Then, use the following curl command to generate a security profile. Replace <SERVICE_NAME> with the name
of your service and <SERVICE_VERSION> with the version of your service.
curl -X POST "https://portal.bifrostsec.comapi/v2/service/<SERVICE_NAME>/version/<SERVICE_VERSION>/profile" -H "Authorization: Bearer <API_TOKEN>"This will return a profile name that you can use in the profile.bifrost.com/name annotation.
GitHub Action
Section titled “GitHub Action”generate-profile-action is a GitHub Action that can be used to make the API call to generate a security profile. See usage instructions in the repository.