security-profiles-operator
security-profiles-operator copied to clipboard
Published
20 hours ago •
kubernetes-sigs
kubernetes-sigs
ProfileBinding for Deployment fail to record active workload
What happened:
I try to use a profilebinding for the deployment so each of replicas can have a seccomp profile.
Here is the step:
1.create seccompprofile in demo namespace
2.create a nginx deploy in demo namespace
3.create a profilebinding in demo namespace, which bind the step1 profile with step2 image
4.delete the nginx pod and the restart one will have the seccompprofile
seccompProfile will record the active workload correctly but profilebinding can not
controlplane $ kubectl describe sp profile1 -n demo
Name: profile1
Namespace: demo
Labels: spo.x-k8s.io/profile-id=SeccompProfile-profile1
Annotations: <none>
API Version: security-profiles-operator.x-k8s.io/v1beta1
Kind: SeccompProfile
Metadata:
Creation Timestamp: 2022-08-09T11:10:25Z
Finalizers:
node01-delete
in-use-by-active-pods
Generation: 1
Managed Fields:
API Version: security-profiles-operator.x-k8s.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:defaultAction:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-08-09T11:10:25Z
API Version: security-profiles-operator.x-k8s.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"in-use-by-active-pods":
v:"node01-delete":
f:labels:
.:
f:spo.x-k8s.io/profile-id:
Manager: security-profiles-operator
Operation: Update
Time: 2022-08-09T11:16:43Z
API Version: security-profiles-operator.x-k8s.io/v1beta1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:activeWorkloads:
f:conditions:
f:localhostProfile:
f:status:
Manager: security-profiles-operator
Operation: Update
Subresource: status
Time: 2022-08-09T11:16:43Z
Resource Version: 6101
UID: 06e83587-4793-490d-a1f2-c7e32edd0ae8
Spec:
Default Action: SCMP_ACT_LOG
Status:
Active Workloads:
demo/nginx-pod-9bcd76d97-w8wzd
Conditions:
Last Transition Time: 2022-08-09T11:10:25Z
Reason: Creating
Status: False
Type: Ready
Localhost Profile: operator/demo/profile1.json
Status: Pending
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal SavedSeccompProfile 7m53s profile Successfully saved profile to disk on node01
Here is the profilebind config
controlplane $ kubectl describe profilebinding nginx-bind -ndemo
Name: nginx-binding
Namespace: demo
Labels: <none>
Annotations: <none>
API Version: security-profiles-operator.x-k8s.io/v1alpha1
Kind: ProfileBinding
Metadata:
Creation Timestamp: 2022-08-09T11:14:43Z
Finalizers:
active-workload-lock
Generation: 1
Managed Fields:
API Version: security-profiles-operator.x-k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:image:
f:profileRef:
.:
f:kind:
f:name:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-08-09T11:14:43Z
API Version: security-profiles-operator.x-k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:finalizers:
.:
v:"active-workload-lock":
Manager: security-profiles-operator
Operation: Update
Time: 2022-08-09T11:16:43Z
API Version: security-profiles-operator.x-k8s.io/v1alpha1
Fields Type: FieldsV1
fieldsV1:
f:status:
.:
f:activeWorkloads:
Manager: security-profiles-operator
Operation: Update
Subresource: status
Time: 2022-08-09T11:16:43Z
Resource Version: 6088
UID: 7b3278aa-0d7a-419c-b635-f7f8ae2a26da
Spec:
Image: nvbeta/swarm_nginx
Profile Ref:
Kind: SeccompProfile
Name: profile1
Status:
Active Workloads:
demo/
Events: <none>
What you expected to happen:
the profilebind can record the active workload correctly but not just the namespace
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
And I just wonder if profilebind have to record the active workload, Since the SeccompProfile already did it.
Environment:
- Cloud provider or hardware configuration:
- OS (e.g:
cat /etc/os-release): - Kernel (e.g.
uname -a): - Others: k8s version
controlplane $ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-03T13:46:05Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.0", GitCommit:"4ce5a8954017644c5420bae81d72b09b735c21f0", GitTreeState:"clean", BuildDate:"2022-05-03T13:38:19Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}
os
controlplane $ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
kernel:
Linux controlplane 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
