ErenAri/Aegis-BPF

v0.7.0 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 11d Network Security

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

bpf bpf-lsm cloud-native-security container-security ebpf helm

+9 more

incident-response kubernetes-security linux-kernel linux-security observability policy-enforcement prometheus runtime-security workload-securi

Affected surfaces

auth rbac breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 11d

The v0.7.0 release updates the Helm chart for aegis‑next and operator integration, adding hardened security controls and new observability metrics.

Why it matters: Hardened Operator Deployment with security context, health/readiness probes, leader election, and six custom Prometheus metrics improve reliability; adopt before production rollout.

Summary

AI summary

Updates Helm Chart, aegis-next Agent, and Operator Integration across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Feature
Feature	Medium	Operator generates both INI and line‑based policy formats from AegisPolicy CRDs Operator generates both INI and line‑based policy formats from AegisPolicy CRDs Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Merged Policy Controller produces a single ConfigMap consumed by all agent pods Merged Policy Controller produces a single ConfigMap consumed by all agent pods Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	NodeFeatureReconciler auto‑labels nodes with arena capability and kernel version NodeFeatureReconciler auto‑labels nodes with arena capability and kernel version Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Live agent sync detects pod variant and dispatches correct CLI commands per agent type Live agent sync detects pod variant and dispatches correct CLI commands per agent type Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Helm chart adds aegis‑next DaemonSet that auto‑mounts the merged policy ConfigMap or static policy file Helm chart adds aegis‑next DaemonSet that auto‑mounts the merged policy ConfigMap or static policy file Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Helm chart hardens Operator Deployment with security context, health/readiness probes, and leader election Helm chart hardens Operator Deployment with security context, health/readiness probes, and leader election Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Helm chart includes ValidatingWebhookConfiguration with optional cert‑manager TLS support Helm chart includes ValidatingWebhookConfiguration with optional cert‑manager TLS support Source: llm_adapter@2026-05-23 Confidence: high	—
Feature	Medium	Operator emits six custom Prometheus metrics for observability Operator emits six custom Prometheus metrics for observability Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Helm chart adds ServiceMonitor for Prometheus operator integration (gated on monitoring.coreos.com/v1) Helm chart adds ServiceMonitor for Prometheus operator integration (gated on monitoring.coreos.com/v1) Source: llm_adapter@2026-05-23 Confidence: low	—
Feature	Medium	Helm chart adds health check test for operator and BPF pin verification for aegis‑next Helm chart adds health check test for operator and BPF pin verification for aegis‑next Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	aegis‑next agent supports reading configuration from a file via `--config` flag aegis‑next agent supports reading configuration from a file via `--config` flag Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	aegis‑next agent can load startup policy rules from a file using `--policy` flag aegis‑next agent can load startup policy rules from a file using `--policy` flag Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	aegis‑next agent allows configurable JSONL event export path via `--events` flag aegis‑next agent allows configurable JSONL event export path via `--events` flag Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	aegis‑next uses a multi‑stage Dockerfile to produce a minimal runtime image with BPF stack aegis‑next uses a multi‑stage Dockerfile to produce a minimal runtime image with BPF stack Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	CMake provides install targets for binary, systemd unit, config file, and example rules CMake provides install targets for binary, systemd unit, config file, and example rules Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	aegis‑next includes deb/rpm postinst/postrm scripts for package management aegis‑next includes deb/rpm postinst/postrm scripts for package management Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	CI workflow builds and pushes `aegisbpf-next` and `aegisbpf-operator` images to ghcr.io CI workflow builds and pushes `aegisbpf-next` and `aegisbpf-operator` images to ghcr.io Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	Helm chart is packaged as OCI artifact on version tags Helm chart is packaged as OCI artifact on version tags Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Feature	Low	kind‑based e2e tests provision a cluster, deploy the operator via Helm, and validate full policy lifecycle kind‑based e2e tests provision a cluster, deploy the operator via Helm, and validate full policy lifecycle Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Medium	envtest integration suite now skips gracefully when kubebuilder binaries are absent envtest integration suite now skips gracefully when kubebuilder binaries are absent Source: llm_adapter@2026-05-23 Confidence: high	—

Full changelog

AegisBPF v0.7.0

This release closes the end-to-end story from Kubernetes CRD to in-kernel BPF enforcement, making aegis-next deployable as a production DaemonSet managed by the AegisBPF operator.

Highlights

Operator Integration

Dual-format policy translation — operator reconciler generates both INI (mainline daemon) and line-based (aegis-next) policy formats from the same AegisPolicy / AegisClusterPolicy CRDs
Merged policy controller — watches all cluster and namespaced policies, produces a single merged ConfigMap consumed by all agent pods
Node feature discovery — NodeFeatureReconciler auto-labels nodes with aegisbpf.io/arena-capable=true (kernel >= 6.9) and aegisbpf.io/kernel-version=X.Y
Live agent sync — controller detects pod variant (mainline vs aegis-next) and dispatches the correct CLI commands per agent type
Prometheus metrics — 6 custom metrics: reconcile count, translate latency, active policies, ConfigMap errors, agent sync count, applied nodes

Helm Chart

aegis-next DaemonSet — auto-mounts operator-generated ConfigMap (aegis-merged-policy) or static policy
Operator Deployment — hardened security context, health/readiness probes, leader election
Webhook + cert-manager — ValidatingWebhookConfiguration with optional cert-manager Certificate for automatic TLS
ServiceMonitor — Prometheus operator integration (gated on monitoring.coreos.com/v1)
Helm tests — operator health check + aegis-next BPF pin verification
NOTES.txt — post-install instructions adapted per feature combination

aegis-next Agent

Config file support — --config=<file> reads key=value config (policy, events, ocsf)
Startup policy loading — --policy=<file> loads rules from file after BPF attach
Configurable event path — --events=<path> for JSONL export location
Multi-stage Dockerfile — minimal runtime image with BPF stack
CMake install targets — binary, systemd unit, config file, example rules
Packaging — postinst/postrm scripts for deb/rpm

CI/CD

Container image builds — container-images.yml builds and pushes aegisbpf-next and aegisbpf-operator to ghcr.io
Helm OCI packaging — packages and pushes chart on version tags
kind-based e2e tests — e2e-k8s.yml provisions kind cluster, deploys operator via Helm, validates full policy lifecycle
envtest fix — integration tests skip gracefully when kubebuilder binaries absent

Testing

8 new agent controller unit tests (mainline + aegis-next rule generation, binary replacement, container detection)
envtest integration suite (create/update/delete policy → ConfigMap lifecycle)
E2E test scripts for both bare-metal and Kubernetes

Documentation

Comprehensive user guide: installation, CLI reference, policy format, K8s deployment, operator CRDs, event export, binary auth, rate limiting, self-protection, troubleshooting

Install

# Helm
helm install aegisbpf oci://ghcr.io/erenari/charts/aegisbpf --version 0.7.0 \
  --set operator.enabled=true \
  --set aegisNext.enabled=true

# Or apply CRDs + deploy manually
kubectl apply -f operator/config/crd/
helm install aegisbpf ./helm/aegisbpf --set operator.enabled=true

Upgrade Notes

If upgrading from v0.6.0, the Helm chart now includes operator webhook and ServiceMonitor templates — review values.yaml for new operator.webhook.* and metrics.* fields
The container-images.yml workflow will build and push images on merge to main — ensure GHCR permissions are configured
aegis-next DaemonSet now targets aegisbpf.io/arena-capable=true nodes by default; override with aegisNext.nodeSelector if needed

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track ErenAri/Aegis-BPF

Get notified when new releases ship.

About ErenAri/Aegis-BPF

All releases →