Description of problem:
when deleting a seccompprofile which is referred by a running pod, the deletion is blocked until I delete the pod. I think it should prompt “the seccompprofile is in use” rather than being blocked in place.

Version-Release number of selected component (if applicable):
4.11.0-0.nightly-2022-07-13-131410

How reproducible:
always

Steps to Reproduce:
1. Install security profile operator

2. Create a seccompprofile in namespace spo
% oc new-project spo

% oc create -f spo/sleep_sh_pod_p.yaml
seccompprofile.security-profiles-operator.x-k8s.io/sleep-sh-pod created

% oc get seccompprofile --all-namespaces
NAMESPACE NAME STATUS AGE
security-profiles-operator log-enricher-trace Installed 8m
security-profiles-operator nginx-1.19.1 Installed 8m
spo sleep-sh-pod Installed 4m25s

sleep_sh_pod_p.yaml:
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
name: sleep-sh-pod
namespace: spo
spec:
defaultAction: SCMP_ACT_ERRNO
architectures:

• SCMP_ARCH_X86_64
  syscalls:
• action: SCMP_ACT_ALLOW
  names:
• arch_prctl
• brk
• capget
• capset
• chdir
• clone
• close
• dup3
• epoll_ctl
• epoll_pwait
• execve
• exit_group
• fchdir
• fchown
• fcntl
• fstat
• fstatfs
• futex
• getcwd
• getdents64
• getpid
• getppid
• getuid
• ioctl
• lseek
• mmap
• mount
• mprotect
• nanosleep
• newfstatat
• open
• openat
• pivot_root
• prctl
• read
• rt_sigaction
• rt_sigprocmask
• rt_sigreturn
• set_tid_address
• setgid
• setgroups
• sethostname
• setuid
• stat
• statfs
• tgkill
• time
• umask
• umount2
• wait4
• write
  • mkdir
  • mkdirat

3. Check the seccompprofile on node
% oc debug node/ip-10-0-157-245.us-east-2.compute.internal
sh-4.4# chroot /host
sh-4.4# ls -ltr /var/lib/kubelet/seccomp/operator/spo/
total 4
rw-rr-. 1 65535 65535 626 Jul 15 07:47 sleep-sh-pod.json
sh-4.4# cat /var/lib/kubelet/seccomp/operator/spo/sleep-sh-pod.json
{"defaultAction":"SCMP_ACT_ERRNO","architectures":["SCMP_ARCH_X86_64"],"syscalls":[

{"names":["arch_prctl","brk","capget","capset","chdir","clone","close","dup3","epoll_ctl","epoll_pwait","execve","exit_group","fchdir","fchown","fcntl","fstat","fstatfs","futex","getcwd","getdents64","getpid","getppid","getuid","ioctl","lseek","mmap","mount","mprotect","nanosleep","newfstatat","open","openat","pivot_root","prctl","read","rt_sigaction","rt_sigprocmask","rt_sigreturn","set_tid_address","setgid","setgroups","sethostname","setuid","stat","statfs","tgkill","time","umask","umount2","wait4","write"],"action":"SCMP_ACT_ALLOW"}

]}

4. Create a pod refer to the seccompprofile in step2
% oc create -f spo/sleep_sh_pod.yaml
pod/test-pod1 created

sleep_sh_pod.yaml:
apiVersion: v1
kind: Pod
metadata:
name: test-pod1
namespace: security-profiles-operator
spec:
containers:

• name: busybox
  image: quay.io/openshifttest/busybox:latest
  command: [ "/bin/sh", "-c", "while true ; do date; sleep 1; done;" ]
  securityContext:
  seccompProfile:
  type: Localhost
  localhostProfile: operator/spo/sleep-sh-pod.json

5. Delete the seccompprofile
% oc delete seccompprofile sleep-sh-pod -n spo

6. Wait several minutes, then delete the pod
% oc delete pod test-pod1 -n security-profiles-operator
pod "test-pod1" deleted

7. Check the deletion of seccompprofile in step 5

Actual results:
5. The deletion is blocked all the time.
6. The pod is deleted successfully
7. The deletion is finished until now.

Expected results:
5. It prompt: the seccompprofile is in use by pod test-pod1 in ns spo.

Additional info: