Description of problem: Log enricher based seccompprofiles recording and metrics does not work for pod with privileged== true Version-Release number of selected component (if applicable): 4.11.0-0.nightly-2022-06-06-201913 oc get csv -n security-profiles-operator NAME DISPLAY VERSION REPLACES PHASE elasticsearch-operator.5.5.0 OpenShift Elasticsearch Operator 5.5.0 Succeeded security-profiles-operator.v0.4.3-dev Security Profiles Operator 0.4.3-dev Succeeded How reproducible: always Steps to Reproduce: 1. install Security Profiles Operator 2. enable log Enrisher; 3. To record by using the enricher, create a ProfileRecording which is using recorder: logs: $ oc create -f -<<EOF apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileRecording metadata: name: test-recording spec: kind: SeccompProfile recorder: logs podSelector: matchLabels: app: my-app EOF 4. create a workload to be recorded, for example two containers within a single pod: $ oc create -f -<<EOF apiVersion: v1 kind: Pod metadata: name: my-pod labels: app: my-app spec: containers: - name: nginx image: quay.io/security-profiles-operator/test-nginx:1.19.1 securityContext: privileged: true - name: redis image: quay.io/security-profiles-operator/redis:6.2.1 EOF 5. After pod running check audit logs for those containers 6. Delete the pod , check if seccompprofiles reconciled Actual results: 5. Can't get audit log about container nginx , only see the container redis : I0609 13:14:32.905207 964568 enricher.go:477] log-enricher "msg"="audit" "container"="redis" "executable"="/usr/local/bin/redis-server" "namespace"="security-profiles-operator" "node"="yinzhou69-c9w7s-worker-us-east-1a-vfxz7" "pid"=969968 "pod"="my-pod" "syscallID"=3 "syscallName"="close" "timestamp"="1654780472.902:167434" "type"="seccomp" I0609 13:14:32.905455 964568 enricher.go:477] log-enricher "msg"="audit" "container"="redis" "executable"="/usr/local/bin/redis-server" "namespace"="security-profiles-operator" "node"="yinzhou69-c9w7s-worker-us-east-1a-vfxz7" "pid"=969968 "pod"="my-pod" "syscallID"=232 "syscallName"="epoll_wait" "timestamp"="1654780472.902:167435" "type"="seccomp" 6. After the pod deleted , no seccompprofiles reconciled. Expected results: 5. Could catch audit logs for container with privileged==true ; 6. Could see seccompprofiles reconciled Additional info:
Unfortunately this is expected. Currently the log recording is through a special seccomp profile, but if you run a privileged pod, all the seccomp profiles are just ignored by the container runtime. We need to document this. The same applies to SELinux. We should probably also throw an error. I'll use this bugzilla for that.
Per https://github.com/openshift/openshift-docs/pull/52698, the below description was added int the official doc. Move it to Verified. "A container with `privileged: true` security context restraints prevents log-based recording. Privileged containers are not subject to {type} policies, and log-based recording makes use of a special {type} profile to record events"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Security Profiles Operator release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8762