-
Bug
-
Resolution: Done
-
Major
-
None
-
4.12
-
None
-
Important
-
None
-
3
-
CMP Sprint 57, CMP Sprint 58
-
2
-
Rejected
-
False
-
Description of problem:
The number of selinuxprofiles generated by profilerecording was not correct
Version-Release number of selected component (if applicable):
4.12.0-0.nightly-2022-11-10-033725 + security-profiles-operator-bundle-container-0.5.0-24
Description of problem:
Try to recorded selinuxprofiles for below workload. And found the number of selinuxprofiles generated by profilerecording was not correct.
$ oc apply -f -<<EOF apiVersion: apps/v1 kind: Deployment metadata: name: hello-openshift spec: replicas: 3 selector: matchLabels: app: hello-openshift template: metadata: labels: app: hello-openshift spec: serviceAccountName: spo-record-sa initContainers: - name: wait image: quay.io/openshifttest/centos:centos7 command: ["/bin/sh", "-c", "env"] containers: - name: hello-openshift image: quay.io/openshifttest/hello-openshift:multiarch ports: - containerPort: 80 - name: hello-openshift2 image: quay.io/openshifttest/hello-openshift:multiarch-fedora ports: - containerPort: 81 EOF
$ oc get selinuxprofiles.security-profiles-operator.x-k8s.io -w
NAME USAGE STATE
test-recording-hello-openshift-dk58m test-recording-hello-openshift-dk58m_mytest.process Partial
test-recording-hello-openshift-mw95r test-recording-hello-openshift-mw95r_mytest.process Partial
test-recording-hello-openshift2-dk58m test-recording-hello-openshift2-dk58m_mytest.process Partial
test-recording-hello-openshift2-mw95r test-recording-hello-openshift2-mw95r_mytest.process Partial
How reproducible:
Always
Steps to Reproduce:
1.Install SPO.
2. Enable log Enrisher by command below:
$ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'
3. Create a new namespace mytest. To record by using the enricher, create a ProfileRecording which is using recorder: logs:
$ oc new-project mytest $ oc label ns mytest spo.x-k8s.io/enable-recording=true $ oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileRecording metadata: name: test-recording spec: kind: SelinuxProfile recorder: logs mergeStrategy: containers podSelector: matchLabels: app: hello-openshift EOF
4. create the severice account with privileged permission:
$ oc create -f -<<EOF apiVersion: v1 kind: ServiceAccount metadata: creationTimestamp: null name: spo-record-sa --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: spo-record namespace: mytest rules: - apiGroups: - security.openshift.io resources: - securitycontextconstraints resourceNames: - privileged verbs: - use --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: spo-record namespace: mytest subjects: - kind: ServiceAccount name: spo-record-sa roleRef: kind: Role name: spo-record apiGroup: rbac.authorization.k8s.io EOF
5. Add label for ns and create deployment to be recorded:
$ oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged --overwrite=true $ oc apply -f -<<EOF apiVersion: apps/v1 kind: Deployment metadata: name: hello-openshift spec: replicas: 3 selector: matchLabels: app: hello-openshift template: metadata: labels: app: hello-openshift spec: serviceAccountName: spo-record-sa initContainers: - name: wait image: quay.io/openshifttest/centos:centos7 command: ["/bin/sh", "-c", "env"] containers: - name: hello-openshift image: quay.io/openshifttest/hello-openshift:multiarch ports: - containerPort: 80 - name: hello-openshift2 image: quay.io/openshifttest/hello-openshift:multiarch-fedora ports: - containerPort: 81 EOF
6. Delete the deployment
Actual results:
The number of the selinuxprofiles is not correct. 4 selinuxprofiles will be created.
Expected results:
The number of the selinuxprofiles should be correct.
Additional info:
- links to
- mentioned on
