On a 4.20 cluster, when trying to do log based selinuxprofiles recording for daemonset, after the profilerecording created, the workload will be failed to created:
% oc get pod
NAME                               READY   STATUS                 RESTARTS   AGE
hello-openshift-57779f89fc-5z56c   0/2     CreateContainerError   0          43s
hello-openshift-57779f89fc-t5jhj   0/2     CreateContainerError   0          43s
hello-openshift-57779f89fc-v25r6   2/2     Running                0          43s
% oc describe pod/hello-openshift-57779f89fc-5z56c
Name:             hello-openshift-57779f89fc-5z56c
Namespace:        mytest
Priority:         0
Service Account:  spo-record-sa
Node:             ip-10-0-48-101.us-east-2.compute.internal/10.0.48.101
Start Time:       Tue, 19 Aug 2025 17:57:04 +0800
Labels:           app=hello-openshift
                  pod-template-hash=57779f89fc
Annotations:      io.containers.trace-avcs/nginx: test-recording_nginx_x6p4t_1755597424
                  io.containers.trace-avcs/redis: test-recording_redis_txqn8_1755597424
                  io.containers.trace-logs/nginx: hello-openshift-recording_nginx_nrb88_1755597424
                  io.containers.trace-logs/redis: hello-openshift-recording_redis_7mhjz_1755597424
…
Containers:
  nginx:
    Container ID:        
    Image:               quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
    Image ID:            
    Port:                80/TCP
    Host Port:           0/TCP
    SeccompProfile:      Localhost
      LocalhostProfile:  operator/log-enricher-trace.json
    State:               Waiting
      Reason:            CreateContainerError
    Ready:               False
    Restart Count:       0
    Environment:         <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-vvcjc (ro)
  redis:
    Container ID:        
    Image:               quay.io/security-profiles-operator/redis:6.2.1
    Image ID:            
    Port:                81/TCP
    Host Port:           0/TCP
    SeccompProfile:      Localhost
      LocalhostProfile:  operator/log-enricher-trace.json
    State:               Waiting
      Reason:            CreateContainerError
    Ready:               False
    Restart Count:       0
    Environment:         <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-vvcjc (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
…
Events:
  Type     Reason            Age               From               Message
  ----     ------            ----              ----               -------
  Normal   Scheduled         60s               default-scheduler  Successfully assigned mytest/hello-openshift-57779f89fc-5z56c to ip-10-0-48-101.us-east-2.compute.internal
  Normal   ProfileRecording  60s               profilerecorder    Recording profiles
  Normal   AddedInterface    60s               multus             Add eth0 [10.131.4.38/23] from ovn-kubernetes
  Normal   Pulled            7s (x7 over 60s)  kubelet            Container image "quay.io/security-profiles-operator/test-nginx-unprivileged:1.21" already present on machine
  Warning  Failed            7s (x7 over 60s)  kubelet            Error: container create failed: write to `/proc/self/attr/keycreate`: Invalid argument
  Normal   Pulled            7s (x7 over 60s)  kubelet            Container image "quay.io/security-profiles-operator/redis:6.2.1" already present on machine
  Warning  Failed            7s (x7 over 60s)  kubelet            Error: container create failed: write to `/proc/self/attr/keycreate`: Invalid argument

Security-profiles-operator.v0.9.0 + 4.20 nightly payload 4.20.0-0.nightly-2025-08-12-153542

Always.

1. Enable log enricher 
2. Create a ns mytest, apply labels for it
% oc label ns mytest spo.x-k8s.io/enable-recording=true 

3. Create a profilerecording
$ oc apply -f -<<EOF
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: test-recording
spec:
  kind: SelinuxProfile
  recorder: logs
  mergeStrategy: containers
  podSelector:
    matchLabels:
      app: hello-openshift
EOF

4. Create a sa 
5. Create the workload
$  oc apply -f -<<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-openshift
  namespace: mytest
spec:
  replicas: 3
  selector:
    matchLabels:
      app: hello-openshift
  template:
    metadata:
      labels:
        app: hello-openshift
    spec:
      serviceAccountName: spo-record-sa
      containers:
      - name: hello-openshift
        image: quay.io/openshifttest/hello-openshift:multiarch
        ports:
        - containerPort: 8080
        readinessProbe:
          tcpSocket:
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
      - name: hello-openshift2
        image: quay.io/openshifttest/hello-openshift:multiarch-fedora
        ports:
        - containerPort: 8081
        readinessProbe:
          tcpSocket:
            port: 8081
          initialDelaySeconds: 5
          periodSeconds: 5
EOF

The workload will be failed to created. More information seen from the description.
In the spo webhook logs, you can see the below logs
`I0819 07:23:05.539180       1 warning_handler.go:65] "metadata.finalizers: \"active-workload-lock\": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers" logger="KubeAPIWarningLogger"
`

The workload should be created successfully and the profilerecording should work as expected.

This issue reproduced with 4.20 payload only