Changelog

Bomfather now supports both Kubernetes and non Kubernetes workloads. We decided to build it so that you can use it in both environments while maintaining an extemely simple configuration.

In the example below, we have policies for the “host” (when the container path is empty) and for an nginx container in the dev namespace.

container_policies:
  - container_path: "" # HOST (container_path empty) 
    executables:
      - path: "example/accessor/accessor"
        access_gpu: true
        directories:
          - path: "example/protected/protected1"
            permission: "read"

  - container_path: "dev:web:nginx:" # Kubernetes format, namespace:pod:container
    executables:
      - path: "/usr/sbin/nginx"
        directories:
          - path: "/var/cache"
            permission: "write" 

One of the important differentiations we wanted to bring was a straightforward configuration that allows mixing and matching within a single file.

Our container path supports wildcards as well, to make configuration easier.

We have added some major security improvements to protect Bomfather’s eBPF programs from tampering and manipulation attacks.

Security Enhancements:

• Protected eBPF maps from unauthorized access so that eBPF maps can’t even be tampered with by a root user
• Secured communication channels between userspace and kernel

These hardening measures address vulnerabilities we discovered in existing eBPF security solutions, where attackers could manipulate policy maps to bypass security controls.

We have simplified policy management considerably with our new inheritance system. No more page long configuration files!

New Policy Features:

• Default deny security model
• Hierarchical policy inheritance
• Simple 5 line base configurations
• Automatic policy propagation to child processes

Our inheritance model means you define what’s allowed once, and Bomfather handles the rest. When workflows change, you don’t need to rewrite entire configuration files.