-
Bug
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
Moderate
Description of problem:
SelinuxProfile and SeccompProfile Reconciliation generate lots of events
Version-Release number of selected component (if applicable):
SPO 0.8.6 OCP 4.17
How reproducible:
Each time on Power and Intel installations
Steps to Reproduce:
1. Create a 4.17 Cluster
2.
oc patch spod spod -p '{"spec":{"enableLogEnricher":true}}' --type=merge -n openshift-security-profiles
# Define a single namespace for all tests
NAMESPACE="sectest"
for ((i=1; i<=50; i++))
do
echo "Iteration $i: Creating SELinuxProfile and associated resources..."
# Define the profile name for each iteration
PROFILE="rec-selinux-$i"
# Create ProfileRecording
cat <<EOF | oc apply -f -
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
name: $PROFILE
namespace: $NAMESPACE
spec:
kind: SelinuxProfile
mergeStrategy: none
podSelector:
matchLabels:
app: demo-$i
recorder: logs
EOF
# Create a unique Pod for each ProfileRecording
cat <<EOF | oc apply -f -
apiVersion: v1
kind: Pod
metadata:
name: demo-app-$i
namespace: $NAMESPACE
labels:
app: demo-$i
spec:
containers:
- image: quay.io/ktalathi/spo-demo:latest
name: demo
args:
- /log/demologs.log
volumeMounts:
- name: logs
mountPath: /log/
restartPolicy: Never
volumes:
- name: logs
hostPath:
path: /var/log/
type: Directory
EOF
echo "Waiting 30 seconds for Pod to start..."
sleep 30
# Delete the Pod after running
echo "Deleting Pod demo-app-$i in namespace $NAMESPACE..."
oc delete pod demo-app-$i -n $NAMESPACE
echo "Waiting 30 seconds after Pod deletion..."
sleep 30
# Wait for the SELinuxProfile to be ready
echo "Waiting for SelinuxProfile $PROFILE-demo to become ready..."
oc wait --for=condition=ready --timeout=300s selinuxprofile $PROFILE-demo -n $NAMESPACE
echo "Iteration $i completed!"
done
echo "All iterations completed successfully!"
3.
Actual results:
# oc get events --all-namespaces -o json | jq -r '.items[] | select(.involvedObject.kind == "SelinuxProfile") | "\(.involvedObject.name):\(.count)"' | \
awk -F: 'BEGIN {print "profile\tcount"} {count[$1] += $2; total += $2} END {for (profile in count) print profile, count[profile]; print "Total events:", total}' | sort
SelinuxProfile Event count
rec-selinux-10-demo 974
rec-selinux-11-demo 955
rec-selinux-12-demo 961
rec-selinux-13-demo 955
rec-selinux-14-demo 936
rec-selinux-15-demo 904
rec-selinux-16-demo 898
rec-selinux-17-demo 904
rec-selinux-18-demo 904
rec-selinux-19-demo 844
rec-selinux-1-demo 1078
rec-selinux-20-demo 850
rec-selinux-21-demo 841
rec-selinux-22-demo 848
rec-selinux-23-demo 801
rec-selinux-24-demo 778
rec-selinux-25-demo 788
rec-selinux-26-demo 783
rec-selinux-27-demo 749
rec-selinux-28-demo 727
rec-selinux-29-demo 717
rec-selinux-2-demo 1068
rec-selinux-30-demo 724
rec-selinux-31-demo 725
rec-selinux-32-demo 669
rec-selinux-33-demo 655
rec-selinux-34-demo 660
rec-selinux-35-demo 658
rec-selinux-36-demo 608
rec-selinux-37-demo 600
rec-selinux-38-demo 601
rec-selinux-39-demo 597
rec-selinux-3-demo 1072
rec-selinux-40-demo 557
rec-selinux-41-demo 550
rec-selinux-42-demo 548
rec-selinux-43-demo 535
rec-selinux-44-demo 497
rec-selinux-45-demo 497
rec-selinux-46-demo 491
rec-selinux-47-demo 457
rec-selinux-48-demo 437
rec-selinux-49-demo 439
rec-selinux-4-demo 1080
rec-selinux-50-demo 438
rec-selinux-5-demo 1031
rec-selinux-6-demo 1017
rec-selinux-7-demo 1020
rec-selinux-8-demo 1014
rec-selinux-9-demo 1012
Total events: 38452
Expected results:
The 38K events seems high, and in practice could lead to event pressure on etcd.
Additional info:
Kaushik encountered this
