-
Bug
-
Resolution: Won't Do
-
Undefined
-
None
-
4.11
-
Important
-
Rejected
-
Unspecified
-
If docs needed, set a value
Description of problem:
Create a new namespace, create a profilerecording based on log for selinuxprofile. And create deployment with proper labels so the profile
When trying to check Log enricher based selinuxprofiles recording for deployment, the workload deleted, the selinuxprofiles were created as expected. Then delete all selinuxprofiles in the namespace, the matrix security_profiles_operator_selinux_profile_total keeps changing even if there is no seliuxprofile available.
Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-06-14-172335 + security-profiles-operator-bundle-container-0.4.3-58
How reproducible:
always
Steps to Reproduce:
Create cm:
$ oc create -f -<<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: cluster-monitoring-config
namespace: openshift-monitoring
data:
config.yaml: |
enableUserWorkload: true
EOF
configmap/cluster-monitoring-config created
2. Install SPO
3. Enable log Enrisher by command below:
$ oc -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'
4. Create a new namespace mytest. To record by using the enricher, create a ProfileRecording which is using recorder: logs:
$ oc new-project mytest
$ oc apply -f -<<EOF
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
name: hello-openshift-recording
spec:
kind: SelinuxProfile
recorder: logs
podSelector:
matchLabels:
app: hello-openshift
EOF
5. create the severice account with privileged permission:
$ oc create -f -<<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: spo-record-sa
—
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
creationTimestamp: null
name: spo-record
namespace: mytest
rules:
- apiGroups:
- security.openshift.io
resources: - securitycontextconstraints
resourceNames: - privileged
verbs: - use
—
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spo-record
namespace: mytest
subjects: - kind: ServiceAccount
name: spo-record-sa
roleRef:
kind: Role
name: spo-record
apiGroup: rbac.authorization.k8s.io
EOF
create a deployment:
$ oc apply -f -<<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello-openshift
spec:
replicas: 3
selector:
matchLabels:
app: hello-openshift
template:
metadata:
labels:
app: hello-openshift
spec:
serviceAccountName: spo-record-sa
initContainers: - name: wait
image: quay.io/openshifttest/centos:centos7
command: ["/bin/sh", "-c", "env"]
containers: - name: hello-openshift
image: quay.io/openshifttest/hello-openshift:multiarch
ports: - containerPort: 80
- name: redis
image: quay.io/security-profiles-operator/redis:6.2.1
EOF
6. When pods for deployment running, trigger curl from the hello-openshift containers
7. Delete workload
$ oc delete deployment hello-openshift
8. Wait until all selinuxprofiles created and installed, delete all the selinuxprofiles
$ oc get selinuxprofile
NAME USAGE STATE
hello-openshift-recording-hello-openshift-0 hello-openshift-recording-hello-openshift-0_my-app.process Installed
hello-openshift-recording-hello-openshift-1 hello-openshift-recording-hello-openshift-1_my-app.process Installed
hello-openshift-recording-redis-0 hello-openshift-recording-redis-0_my-app.process Installed
hello-openshift-recording-redis-1 hello-openshift-recording-redis-1_my-app.process Installed
$ oc delete selinuxprofiles.security-profiles-operator.x-k8s.io --all
selinuxprofile.security-profiles-operator.x-k8s.io "hello-openshift-recording-hello-openshift-0" deleted
selinuxprofile.security-profiles-operator.x-k8s.io "hello-openshift-recording-hello-openshift-1" deleted
selinuxprofile.security-profiles-operator.x-k8s.io "hello-openshift-recording-redis-0" deleted
selinuxprofile.security-profiles-operator.x-k8s.io "hello-openshift-recording-redis-1" deleted
Actual results:
When selinuxprofiles deleted, the metrix keeps changing.
Expected results:
When selinuxprofiles deleted, the metrix should only updated when selinuxprofiles deleted
$ oc get selinuxprofile --all-namespaces
No resources found
$ kubectl run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n mytest metrics-test – bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.security-profiles-operator/metrics-spod' | grep security_profiles_operator_selinux
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "metrics-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "metrics-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "metrics-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
- HELP security_profiles_operator_selinux_profile_total Counter about selinux profile operations.
- TYPE security_profiles_operator_selinux_profile_total counter
security_profiles_operator_selinux_profile_total {operation="update"} 36
$ kubectl run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n mytest metrics-test – bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.security-profiles-operator/metrics-spod' | grep security_profiles_operator_selinux_profile_total
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "metrics-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "metrics-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "metrics-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
# HELP security_profiles_operator_selinux_profile_total Counter about selinux profile operations.
# TYPE security_profiles_operator_selinux_profile_total counter
security_profiles_operator_selinux_profile_total{operation="update"}42
$ kubectl run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n mytest metrics-test – bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.security-profiles-operator/metrics-spod' | grep security_profiles_operator_selinux_profile_total
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "metrics-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "metrics-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "metrics-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
- HELP security_profiles_operator_selinux_profile_total Counter about selinux profile operations.
- TYPE security_profiles_operator_selinux_profile_total counter
security_profiles_operator_selinux_profile_total {operation="update"} 35
$ kubectl run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n mytest metrics-test – bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.security-profiles-operator/metrics-spod' | grep security_profiles_operator_selinux_profile_total
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "metrics-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "metrics-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "metrics-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
# HELP security_profiles_operator_selinux_profile_total Counter about selinux profile operations.
# TYPE security_profiles_operator_selinux_profile_total counter
security_profiles_operator_selinux_profile_total{operation="update"}27
$ kubectl run --rm -i --restart=Never --image=registry.fedoraproject.org/fedora-minimal:latest -n mytest metrics-test – bash -c 'curl -ks -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" https://metrics.security-profiles-operator/metrics-spod' | grep security_profiles_operator_selinux_profile_total
Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "metrics-test" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "metrics-test" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "metrics-test" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "metrics-test" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
- HELP security_profiles_operator_selinux_profile_total Counter about selinux profile operations.
- TYPE security_profiles_operator_selinux_profile_total counter
security_profiles_operator_selinux_profile_total {operation="update"}42
Additional info: