Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-37406

SPO - create deployment or other resource instead of pod in profiling section

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None

      In page: https://docs.openshift.com/container-platform/4.14/security/security_profiles_operator/spo-selinux.html#spo-recording-profiles_spo-selinux

      apiVersion: v1
kind: Pod
metadata:
  namespace: my-namespace
  name: my-pod
  labels:
    app: my-app
spec:
  containers:
    - name: nginx
      image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
      ports:
        - containerPort: 8080
    - name: redis
      image: quay.io/security-profiles-operator/redis:6.2.1

      Please use another example instead of a pod, e.g. a deployment, a job, etc.

      When an admin user creates a pod, it will automatically run as privileged, and thus profiling will not work. And it's not that unlikely that this action will actually be run by an admin. When one uses a deployment, etc, it will use the serviceaccount that's attached to the pod so there's more control and it's more explicit what kind of privilege level the created pod(s) will have

            ocp-docs-bot OCP DocsBot
            akaris@redhat.com Andreas Karis
            Xiaojie Yuan Xiaojie Yuan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: