Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13961

The namespace/example output in paragraph 'Recording profiles from workloads' is not correct

XMLWordPrintable

    • Moderate
    • No
    • 1
    • OSDOCS Sprint 242, OSDOCS Sprint 243, OSDOCS Sprint 244
    • 3
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

       

      In paragraphhttps://docs.openshift.com/container-platform/4.13/security/security_profiles_operator/spo-seccomp.html#spo-recording-profiles_spo-seccomp, the namespace in below steps are not correct:
1. In Procedure 2, when creating the ProfileRecording, better to add `namespace: my-namespace`
2. In Procedure 3, when creating the pod, better to add `namespace: my-namespace`
3. In Procedure 4,the namespace in the command is wrong. Should be `oc -n my-namespace get pods`  
4. In Procedure 5,the Example output is wrong. NOTE: the log out for seccompprofile and selinuxprofile is totally different. Please don't update the output for selinuxprofile when changing the output for seccompprofile. The example output should like below:
I0523 14:19:08.747313  430694 enricher.go:445] log-enricher "msg"="audit" "container"="redis" "executable"="/usr/local/bin/redis-server" "namespace"="my-namespace" "node"="xiyuan-23-5g2q9-worker-eastus2-6rpgf" "pid"=656802 "pod"="my-pod" "syscallID"=0 "syscallName"="read" "timestamp"="1684851548.745:207179" "type"="seccomp"  
5. In Verfication 1,the namespace in the command is wrong. Should be `oc -n my-namespace delete pod my-pod`  In Verification 2, the output is wrong. Please note: the output for seccomp and selinux is different:
$ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace
NAME                   STATUS      AGE
test-recording-nginx   Installed   56s
test-recording-redis   Installed   56s
      In paragraph https://docs.openshift.com/container-platform/4.13/security/security_profiles_operator/spo-seccomp.html#spo-container-profile-instances_spo-seccomp, the namespace in below steps are not set/correct:
1. In Procedure 1, when creating the ProfileRecording, better to add `namespace: my-namespace`
2. In Procedure 2, Before creating the deployment, need to label the namespace, otherwise the pod could not get running:
$ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true
namespace/my-namespace labeled
when creating the workload, better to add `namespace: my-namespace` 

3. In Procedure 3, the namespace is wrong in the command. Should be updated as below:
$ oc delete deployment nginx-deploy -n my-namespace  
4. In Procedure 4, better to add the namespace in the command:
$ oc delete profilerecording test-recording -n my-namespace

5. In Procedure 5, the output is wrong. NOTE: the log out for seccompprofile and selinuxprofile is totally different. Should be updated as below:
$ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace
NAME                          STATUS      AGE
test-recording-nginx-record   Installed   55s
      In https://docs.openshift.com/container-platform/4.13/security/security_profiles_operator/spo-selinux.html#spo-recording-profiles_spo-selinux, the namespace in below steps are not correct:
1. In Procedure 2, when creating the ProfileRecording, better to add `namespace: my-namespace`
2. In Procedure 3, when creating the pod, better to add `namespace: my-namespace`
3. In Procedure 4,the command is wrong. Should be `oc -n my-namespace get pods`  
4. In Verfication 1,the command is wrong. Should be `oc -n my-namespace delete pod my-pod`
      In https://docs.openshift.com/container-platform/4.13/security/security_profiles_operator/spo-selinux.html#spo-container-profile-instances_spo-selinux,  the namespace in below steps are not set/correct:
1. In Procedure 1, when creating the ProfileRecording, better to add `namespace: my-namespace`
2. In Procedure 2, Before creating the deployment, need to label the namespace
$ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true
namespace/my-namespace labeled
when creating the workload, better to add `namespace: my-namespace` 

3. In Procedure 3, better to add the namespace in the command:
$ oc delete deployment nginx-deploy -n my-namespace  
4. In Procedure 4, better to add the namespace in the command:
$ oc delete profilerecording test-recording -n my-namespace

5. In Procedure 5, the Example output should be: 
$ oc get selinuxprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namepsace
NAME                          USAGE                                         STATE
test-recording-nginx-record   test-recording-nginx-record_my-namespace.process   Installed

       

      Version-Release number of selected component (if applicable):

      4.12 and 4.12+

      How reproducible:

      Always

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

      Seen from description

      Expected results:

      Seen from description

      Additional info:

       

            rhn-support-jbrigman James Brigman
            xiyuan@redhat.com Xiaojie Yuan
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 weeks
                3w