Description of problem:

The ENABLE_LOG_ENRICHER in the env config of subscription does not work

Version-Release number of selected component (if applicable):

Security-profiles-operator-bundle-container-0.5.0-31 +4.12.0-0.nightly-2022-11-23-055211

How reproducible:

Always

Steps to Reproduce:

1. Install SPO with below configuration in the subscription:

spec:

  config:

    env:

    - name: ENABLE_LOG_ENRICHER

      value: "true"

2. Create a new ns, label it, create profilerecording:

$ oc new-project mytest

$ oc label ns mytest spo.x-k8s.io/enable-recording="true" 

$ oc apply -f -<<EOF

apiVersion: security-profiles-operator.x-k8s.io/v1alpha1

kind: ProfileRecording

metadata:

  name: hello-openshift-recording

spec:

  kind: SeccompProfile

  recorder: logs

  podSelector:

    matchLabels:

      app: hello-openshift

EOF

3. Create a sa account with privileged permission:

$ oc create -f -<<EOF

apiVersion: v1

kind: ServiceAccount

metadata:

  creationTimestamp: null

  name: spo-record-sa

—

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  creationTimestamp: null

  name: spo-record

  namespace: mytest

rules:

• apiGroups:

  - security.openshift.io

  resources:

  - securitycontextconstraints

  resourceNames:

  - privileged

  verbs:

  - use

—

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: spo-record

  namespace: mytest

subjects:

• kind: ServiceAccount

  name: spo-record-sa

roleRef:

  kind: Role

  name: spo-record

  apiGroup: rbac.authorization.k8s.io

EOF

4. Create a deployment to be recorded:

$ oc apply -f -<<EOF

apiVersion: apps/v1

kind: Deployment

metadata:

  name: hello-openshift

spec:

  replicas: 3

  selector:

    matchLabels:

      app: hello-openshift

  template:

    metadata:

      labels:

        app: hello-openshift

    spec:

      serviceAccountName: spo-record-sa

      initContainers:

      - name: wait

        image: quay.io/openshifttest/centos:centos7

        command: ["/bin/sh", "-c", "env"]

      containers:

      - name: hello-openshift

        image: quay.io/openshifttest/hello-openshift:multiarch

        ports:

        - containerPort: 80

      - name: hello-openshift2

        image: quay.io/openshifttest/hello-openshift:multiarch-fedora

        ports:

        - containerPort: 81

EOF

5. Delete the deployment when pods are running

Actual results:

The seccompprofile recording is not working as expected. No seccompprofiles will be created.

Expected results:

The seccompprofile recording should work and seccompprofile should be created as expected.

Additional info:

Seems the log enricher is not actually working. Although it seems "seems" has been enabled(through the logs and number of spod containers) through the ENABLE_LOG_ENRICHER in the env config of subscription. Delete the deployment and profilerecording, enable the log enricher with below command, then recreate the profilerecording and deployment, the seccompprofile recording works as expected.
 $ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'