-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.15.z, 4.17.0, 4.16.z
-
None
-
Important
-
None
-
False
-
Description of problem:
Failed to delete the profilebinding after creating as profilebinding with the image variable set to "*" wildcard attribute to binds all pods
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1. Install Security-profiles-operator.v0.8.4 2. Create a ns mytest, add labels: % oc label ns mytest spo.x-k8s.io/enable-binding=truenamespace/mytest labeled % oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true 3. Create a selinuxprofile called errorlogger 4. Create a pb: % oc apply -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileBinding metadata: namespace: mytest name: nginx-binding spec: profileRef: kind: SelinuxProfile name: errorlogger image: "*" EOF 5. Create a deployment and a pod 6. Check all pods are running and all pod are binded with errorlogger selinuxprofile 7. Delete the deployment and pod 8. Delete the profilebinding
Actual results:
The profilebinding could NOT be deleted successfully. The delete command will never return.% oc delete profilebinding nginx-bindingprofilebinding.security-profiles-operator.x-k8s.io "nginx-binding" deleted
Expected results:
The profilebinding could be deleted successfully
Additional info:
This issue could also be reproduced with seccompprofile profile recording