-
Bug
-
Resolution: Done
-
Major
-
None
-
None
-
None
Description of problem:
When trying to do profilerecording, the workload will be failed to create due to `Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory` % oc get profilerecordings NAME spo-recording % oc get daemonsets.apps NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE hello-daemonset 3 3 0 3 0 node-role.kubernetes.io/worker= 5m18s % oc get pod NAME READY STATUS RESTARTS AGE hello-daemonset-2t6wt 0/2 Init:CreateContainerError 0 5m22s hello-daemonset-5mbrz 0/2 Init:CreateContainerError 0 5m22s hello-daemonset-w6lt2 0/2 Init:CreateContainerError 0 5m22s % oc get event | grep Failed 23s Warning Failed pod/hello-daemonset-2t6wt Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory 16s Warning Failed pod/hello-daemonset-5mbrz Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory 19s Warning Failed pod/hello-daemonset-w6lt2 Error: setup seccomp: unable to load local profile "/var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json: no such file or directory Actually, the local file should be /var/lib/kubelet/seccomp/operator/log-enricher-trace.json % oc get sp log-enricher-trace -o=jsonpath={.status.localhostProfile} operator/log-enricher-trace.json % oc debug node/ip-10-0-29-211.us-east-2.compute.internal -- chroot /host cat /var/lib/kubelet/seccomp/operator/log-enricher-trace.json … Starting pod/ip-10-0-29-211us-east-2computeinternal-debug-78qlc ... To use host binaries, run `chroot /host`. Instead, if you need to access host namespaces, run `nsenter -a -t 1`. {"defaultAction":"SCMP_ACT_LOG"} Removing debug pod ...
Version-Release number of selected component (if applicable):
security-profiles-operator.v0.9.0
How reproducible:
Always
Steps to Reproduce:
1. Install SPO security-profiles-operator.v0.9.0 2. Setting enableLogEnricher to true $ oc -n openshift-security-profiles patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}' 3. Create a ns and set the right labels oc new-project mytest $ oc label ns mytest spo.x-k8s.io/enable-recording="true" $ oc label ns mytest security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged --overwrite=true 4. Create a profilerecording in the namespace 5. Create a workload to be recorded
Actual results:
The workload will be stuck at “Init:CreateContainerError” status due to unable to load local profile /var/lib/kubelet/seccomp/operator/openshift-security-profiles/log-enricher-trace.json”. Actually, the local file should be /var/lib/kubelet/seccomp/operator/log-enricher-trace.json % oc get sp log-enricher-trace -o=jsonpath={.status.localhostProfile} operator/log-enricher-trace.json % oc debug node/ip-10-0-29-211.us-east-2.compute.internal -- chroot /host cat /var/lib/kubelet/seccomp/operator/log-enricher-trace.json
Expected results:
The profilerecording should succeed
Additional info: