vArmor: A cloud native container sandbox system


vArmor is a cloud-native container sandbox system. It leverages Linux’s AppArmor LSMBPF LSM and Seccomp technologies to implement enforcers. It can be used to strengthen container isolation, reduce the kernel attack surface, and increase the difficulty and cost of container escape or lateral movement attacks. You can leverage vArmor in the following scenarios to provide sandbox protection for containers within a Kubernetes cluster.

  • In multi-tenant environments, hardware-virtualized container solutions cannot be employed due to factors such as cost and technical conditions.
  • When there is a need to enhance the security of critical business containers, making it more difficult for attackers to escalate privileges, escape, or laterally move.
  • When high-risk vulnerabilities are present, but immediate remediation is not possible due to the difficulty or lengthy process of patching. vArmor can be used to mitigate the risks (depending on the vulnerability type or exploitation vector) to block or increase the difficulty of exploitation.


  • Cloud-native. vArmor follows the Kubernetes Operator design pattern, allowing users to harden specific workloads by manipulating the CRD API. This approach enables sandboxing of containerized microservices from a perspective closely aligned with business needs.
  • Supports the use of AppArmor, BPF, Seccomp enforcer individually or in combination, enforcing mandatory access control on container file access, process execution, network outbound, syscall, and more.
  • Supports the Allow by Default security model, in which only behaviors explicitly declared will be blocked, thus minimize performance impact and enhancing usability.
  • Supports behavior modeling, and provides protection based on behavior models, meaning only behaviors explicitly declared are permitted.
  • Ready to use out of the box. vArmor includes multiple built-in rules for direct use.

Install & Use