Profiles

Reusable mirrord config templates

The installation of the mirrord operator defines two types of custom resources in your cluster: MirrordClusterProfile and MirrordProfile.

This feature is available to users on the Team and Enterprise pricing plans.

These resources provide a unified base for users' mirrord configurations. Users can reference a profile in their mirrord config, and mirrord will apply the defined feature adjustments accordingly.

Cluster-Wide Profiles (`MirrordClusterProfile`)

MirrordClusterProfile is a cluster-scoped custom resource that provides a shared base configuration available to all namespaces in the cluster.

apiVersion: profiles.mirrord.metalbear.co/v1alpha
kind: MirrordClusterProfile
metadata:
  # This name can be referenced by the user in their mirrord configs.
  name: example-cluster-profile
spec:
  # A list of adjustments to be made in the user's feature config.
  #
  # The adjustments are applied in order.
  featureAdjustments:
    # Incoming traffic will be stolen.
    - change: incoming-steal
    # All outgoing traffic will be remote.
    - change: outgoing-remote
    # All DNS resolution will be remote.
    - change: dns-remote

Namespaced Profiles (`MirrordProfile`)

MirrordProfile is a namespaced custom resource. These profiles are defined within a specific namespace and are only available to workloads running in that namespace.

apiVersion: profiles.mirrord.metalbear.co/v1alpha
kind: MirrordProfile
metadata:
  name: example-profile
  namespace: example-namespace
spec:
  featureAdjustments:
    - change: incoming-steal
    - change: outgoing-remote
    - change: dns-remote

Allowed Feature Adjustments

The complete list of allowed values for the featureAdjustments.[].change field is as follows:

incoming-mirror - incoming traffic will be mirrored
incoming-steal - incoming traffic will be stolen
incoming-off - incoming traffic will not be intercepted
dns-remote - all DNS resolution will be remote
dns-off - all DNS resolution will be local
outgoing-remote - all outgoing traffic will be remote
outgoing-off - all outgoing traffic will be local

Selecting a profile

Starting from mirrord version 3.136.0, the user can select a mirrord profile in their mirrord config. The profile is referenced by its name.

{
    "profile": "example-profile"
}

Enforcing profiles

Use of mirrord profiles can be enforced with mirrord policies.

Important: mirrord profiles are applied to the session on the user machine, and should not be used as security features.

PreviousOutgoing Traffic Policies NextQueue Splitting

Last updated 5 hours ago

Was this helpful?

Good evening

hashtagCluster-Wide Profiles (MirrordClusterProfile)

hashtagNamespaced Profiles (MirrordProfile)

hashtagAllowed Feature Adjustments

hashtagSelecting a profile

hashtagEnforcing profiles

Cluster-Wide Profiles (`MirrordClusterProfile`)

Namespaced Profiles (`MirrordProfile`)

Allowed Feature Adjustments

Selecting a profile

Enforcing profiles