ErenAri/Aegis-BPF

Summary

v0.5.0 advances AegisBPF from a narrower operator model to a more production-usable policy orchestration surface.

This release introduces:

• a richer workload targeting model with spec.workloadSelector
• per-rule action support (Allow / Block)
• deterministic Allow-over-Block merge precedence
• stronger admission-time validation
• an opt-in embedded operator web console for policy visibility and daemon monitoring

Together, these changes make policy authoring, reconciliation, and observability more practical for Kubernetes-based deployments.

Highlights

1) New operator policy model

The operator now supports a more expressive policy surface:

• spec.workloadSelector with Kubernetes-style selector semantics
• per-rule action fields for file/network rules
• explicit Allow > Block precedence during merged-policy generation
• legacy selector compatibility retained for older YAMLs

This closes a major usability gap in earlier operator versions and brings policy targeting closer to native Kubernetes patterns.

2) Stronger validation and safer reconciliation

Admission and reconciliation behavior were tightened to fail earlier and more clearly:

• validation for workloadSelector
• namespace scoping checks for namespaced policies
• rejection of invalid Allow/Block collisions
• rejection of unsupported Allow usage on rule types that cannot be lowered safely
• deprecation signaling when legacy selector fields are still used

3) Embedded operator web console

This release adds a lightweight, read-only web console embedded directly into the operator binary.

Features:

• Dashboard view
• Policies list
• Policy detail view
• Nodes / daemon status view
• htmx-based refresh flow
• SSE broker for live status/event plumbing
• no new Go runtime dependencies for the console stack

The console is opt-in and can be enabled with:

./operator --enable-console --console-addr :9090