security-profiles-operator icon indicating copy to clipboard operation
security-profiles-operator copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

How to define logenricher by default while deployment of SPO

Open pradeepjairamani opened this issue 3 years ago • 2 comments
trafficstars

I am trying to configure enablelogEnricher: true configuration directly into the security-profiles-operator deployment YAML so I don't have to patch changes during runtime, can anyone help me how can I configure it (I am deploying directly through ArgoCD),

Also will there be any issues if I add ProfileRecording with the operator deployment YAML

apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: demo-recorder
spec:
  kind: SeccompProfile
  recorder: logs
  podSelector:
    matchLabels:
      app: demo

pradeepjairamani avatar Sep 13 '22 08:09 pradeepjairamani

On Tue, Sep 13, 2022 at 01:47:49AM -0700, Pradeep Jairamani wrote: (only replying to the other question)

Also will there be any issues if I add ProfileRecording with the operator deployment YAML

apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: demo-recorder
spec:
  kind: SeccompProfile
  recorder: logs
  podSelector:
    matchLabels:
      app: demo

Note that ProfileRecordings are namespaced, without specifying a namespace explicitly, you're (probably?) creating the CR in the operator namespace, which might not be what you want as opposed to recording the workload in its own namespace.

jhrozek avatar Sep 13 '22 12:09 jhrozek

Got it, are there any other precautions for deployment in staging environment that I should be aware of? and is there a way I can add spec for enable log enricher during the time of deployment itself without having to patch it during runtime?

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'

pradeepjairamani avatar Sep 14 '22 12:09 pradeepjairamani

@pradeepjairamani does you method of deployment allow to configure environment variables? We could perhaps add an environment variable that would auto-configure the logEnricher. Would that help?

jhrozek avatar Oct 05 '22 08:10 jhrozek

I recompiled the image and changed in spod.go configuration EnableLogEnricher: true,

https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/internal/pkg/manager/spod/bindata/spod.go#L77

pradeepjairamani avatar Oct 12 '22 09:10 pradeepjairamani

Reopening, I think recompiling the image is not a sustainable change and we should support enabling the log enricher at install time via an env var.

jhrozek avatar Oct 13 '22 08:10 jhrozek