-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
Description of problem:
When trying to do Log enricher based selinuxprofiles recording for deployment,selinuxprofile will not be created after deployment deleted. The weird point is: after the workload created, in log-enricher container of the spod pods, the profile type to be recorded is seccomp, not selinux. % oc get pod NAME READY STATUS RESTARTS AGE hello-openshift-6d576cf98-9g66m 2/2 Running 0 11s hello-openshift-6d576cf98-b2c2m 2/2 Running 0 11s hello-openshift-6d576cf98-jmcl4 2/2 Running 0 11s % oc get deploy NAME READY UP-TO-DATE AVAILABLE AGE hello-openshift 3/3 3 3 15s Description of problem: When trying to do Log enricher based selinuxprofiles recording for deployment,selinuxprofile will not be created after deployment deleted. The weird point is: after the workload created, there is no scontext or tcontext info the spod logs in log-enricher container; Instead, the type is seccomp. % oc get pod NAME READY STATUS RESTARTS AGE hello-openshift-6d576cf98-9g66m 2/2 Running 0 11s hello-openshift-6d576cf98-b2c2m 2/2 Running 0 11s hello-openshift-6d576cf98-jmcl4 2/2 Running 0 11s % oc get deploy NAME READY UP-TO-DATE AVAILABLE AGE hello-openshift 3/3 3 3 15s In log-enricher container: audit logger=log-enricher type=seccomp node=NODE_NAME namespace=mytest pod=hello-openshift-6d576cf98-9g66m container=redis pid=110067 syscallID=39 syscallName=getpid ...
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Install SPO security-profiles-operator.v0.9.0 2. Setting enableLogEnricher to true $ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}' 3. Create a ns and set the right labels oc new-project mytest $ oc label ns mytest spo.x-k8s.io/enable-recording="true" $ oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged --overwrite=true 4. Create a profilerecording % oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileRecording metadata: name: hello-openshift-recording spec: kind: SelinuxProfile recorder: logs podSelector: matchLabels: app: hello-openshift EOF profilerecording.security-profiles-operator.x-k8s.io/hello-openshift-recording created 5. Create a deployment to be recorded 6. Delete the deployment
Actual results:
At step5, after the workload created, in log-enricher container of the spod pods, the profile type to be recorded is seccomp, not selinux. At step 6, no selinuxprofile created.
Expected results:
Selinuxprofile should be created.
Additional info:
