Epic Goal

• Make SPO profile recording useful for large and complex workloads

Why is this important?

• SPO is able to record SELinux and seccomp policies for smaller workloads, but there are issues scaling up, both with the recording webhook and the way the resulting policies are generated

Scenarios

1. As an application developer, I want to record SELinux or seccomp profiles or my workload without worrying about SPO stability or having to manually post-process the recorded policies

Acceptance Criteria

• Profiles can be recorded even for workloads that scale up or down during the recoridng
• Manipulating the workload (scaling, deleting its resources etc) must never trigger errors in the webhooks
• SPO must be able to produce a single policy per container, not a single policy per container instance

Dependencies (internal and external)

1. internally, we need to remove

Previous Work (Optional):

1. N/A

Open questions::

1. to be discussed upstream - which mode of recording (merging or per-container-instance) should be the default

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>