-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.14.0
-
None
-
Low
-
No
-
False
-
Description of problem:
When the mergeStrategy is set to container, the profilebinding doesn’t work as expected if one container name is substring of another container. For example, the workload to be recorded is: $ oc apply -f -<<EOF apiVersion: apps/v1 kind: Deployment metadata: name: hello-openshift namespace: mytest spec: replicas: 3 selector: matchLabels: app: hello-openshift template: metadata: labels: app: hello-openshift spec: serviceAccountName: spo-record-sa initContainers: - name: wait image: quay.io/openshifttest/centos:centos7 command: ["/bin/sh", "-c", "env"] containers: - name: hello-openshift image: quay.io/openshifttest/hello-openshift:multiarch ports: - containerPort: 8080 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 5 - name: hello-openshift2 image: quay.io/openshifttest/hello-openshift:multiarch-fedora ports: - containerPort: 8081 readinessProbe: tcpSocket: port: 8081 initialDelaySeconds: 5 periodSeconds: 5 EOF
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
Install Security Profiles Operator Create a ns mytest Label ns with recording and privileged permission Create sa Create a profilerecording $ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileRecording metadata: name: test-recording spec: kind: SelinuxProfile recorder: logs mergeStrategy: containers podSelector: matchLabels: app: hello-openshift EOF profilerecording.security-profiles-operator.x-k8s.io/test-recording created 6. Create a deployment to be recorded: $ oc apply -f -<<EOF apiVersion: apps/v1 kind: Deployment metadata: name: hello-openshift namespace: mytest spec: replicas: 3 selector: matchLabels: app: hello-openshift template: metadata: labels: app: hello-openshift spec: serviceAccountName: spo-record-sa initContainers: - name: wait image: quay.io/openshifttest/centos:centos7 command: ["/bin/sh", "-c", "env"] containers: - name: hello-openshift image: quay.io/openshifttest/hello-openshift:multiarch ports: - containerPort: 8080 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 5 periodSeconds: 5 - name: hello-openshift2 image: quay.io/openshifttest/hello-openshift:multiarch-fedora ports: - containerPort: 8081 readinessProbe: tcpSocket: port: 8081 initialDelaySeconds: 5 periodSeconds: 5 EOF deployment.apps/hello-openshift created 7. Delete the deploy and create another workload: $ oc create -f -<<EOF apiVersion: apps/v1 kind: DaemonSet metadata: name: hello-dae spec: selector: matchLabels: app: hello-openshift template: metadata: labels: app: hello-openshift spec: nodeSelector: node-role.kubernetes.io/worker: "" serviceAccount: spo-record-sa containers: - name: nginx image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 ports: - containerPort: 8081 - name: redis image: quay.io/security-profiles-operator/redis:6.2.1 ports: - containerPort: 8082 EOF daemonset.apps/hello-dae created 8. Delete the workload and profilerecording
Actual results:
The selinuxprofiles will be merged. However, one selinuxprofile will not become Installed status. Before merge: $ oc get selinuxprofiles.security-profiles-operator.x-k8s.io NAME USAGE STATE test-recording-hello-openshift-8n4jh test-recording-hello-openshift-8n4jh_mytest.process Partial test-recording-hello-openshift-ht9dp test-recording-hello-openshift-ht9dp_mytest.process Partial test-recording-hello-openshift-j2pkj test-recording-hello-openshift-j2pkj_mytest.process Partial test-recording-hello-openshift-j7j7v test-recording-hello-openshift-j7j7v_mytest.process Partial test-recording-hello-openshift-nkqz9 test-recording-hello-openshift-nkqz9_mytest.process Partial test-recording-hello-openshift-v8dtd test-recording-hello-openshift-v8dtd_mytest.process Partial test-recording-hello-openshift2-8n4jh test-recording-hello-openshift2-8n4jh_mytest.process Partial test-recording-hello-openshift2-ht9dp test-recording-hello-openshift2-ht9dp_mytest.process Partial test-recording-hello-openshift2-j2pkj test-recording-hello-openshift2-j2pkj_mytest.process Partial test-recording-hello-openshift2-j7j7v test-recording-hello-openshift2-j7j7v_mytest.process Partial test-recording-hello-openshift2-nkqz9 test-recording-hello-openshift2-nkqz9_mytest.process Partial test-recording-hello-openshift2-v8dtd test-recording-hello-openshift2-v8dtd_mytest.process Partial test-recording-nginx-4bs5n test-recording-nginx-4bs5n_mytest.process Partial test-recording-nginx-8v2rh test-recording-nginx-8v2rh_mytest.process Partial test-recording-nginx-tgdvq test-recording-nginx-tgdvq_mytest.process Partial test-recording-nginx-vxzw9 test-recording-nginx-vxzw9_mytest.process Partial test-recording-redis-4bs5n test-recording-redis-4bs5n_mytest.process Partial test-recording-redis-8v2rh test-recording-redis-8v2rh_mytest.process Partial test-recording-redis-tgdvq test-recording-redis-tgdvq_mytest.process Partial test-recording-redis-vxzw9 test-recording-redis-vxzw9_mytest.process Partial After merge: $ oc get selinuxprofiles.security-profiles-operator.x-k8s.io NAME USAGE STATE test-recording-hello-openshift test-recording-hello-openshift2 test-recording-hello-openshift2_mytest.process Installed test-recording-nginx test-recording-nginx_mytest.process Installed test-recording-redis test-recording-redis_mytest.process Installed
Expected results:
All selinuxprofiles should be merged properly per containers
Additional info: