-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
recording: Emit event when attempting to record a privileged container + add docs #1156
recording: Emit event when attempting to record a privileged container + add docs #1156
Conversation
This was apparently clear to neither users or developers, see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=2095298
dcafcb1
to
05ba8cc
Compare
81ad4d7
to
d7a34f8
Compare
/lgtm cancel |
Please note that log based recording does not have any effect if the recorded container | ||
is privileged, that is, the container's security context sets `privileged: true`. This |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we wanna behave in the same way if we already have a seccomp profile applied to the container?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there might be a use-case for still recording a workload even if there's a profile applied to it. e.g. verifying that the applied profile is sufficient.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But for the log enricher we would override the existing profile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For Seccomp? I thought it was only the case for SELinux.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we wanna behave in the same way if we already have a seccomp profile applied to the container?
I'm sorry, can you elaborate? Are you thinking about the case where someone records a workload while already specifying the profile in the first place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The webhook just updates the security context for log based seccomp profile recordings:
security-profiles-operator/internal/pkg/webhooks/recording/recording.go
Lines 250 to 268 in 1e4dfea
func (p *podSeccompRecorder) updateSeccompSecurityContext( | |
ctr *corev1.Container, | |
) { | |
if ctr.SecurityContext == nil { | |
ctr.SecurityContext = &corev1.SecurityContext{} | |
} | |
if ctr.SecurityContext.SeccompProfile == nil { | |
ctr.SecurityContext.SeccompProfile = &corev1.SeccompProfile{} | |
} | |
ctr.SecurityContext.SeccompProfile.Type = corev1.SeccompProfileTypeLocalhost | |
profile := fmt.Sprintf( | |
"operator/%s/%s.json", | |
p.impl.GetOperatorNamespace(), | |
config.LogEnricherProfile, | |
) | |
ctr.SecurityContext.SeccompProfile.LocalhostProfile = &profile | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we wanna behave in the same way if we already have a seccomp profile applied to the container?
I'm sorry, can you elaborate? Are you thinking about the case where someone records a workload while already specifying the profile in the first place?
Yes, exactly. We could assume that users do not understand how it works in detail, so I'm wondering if we wanna make them aware that we overwrote their already used seccomp profile.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, makes sense. btw it seems like we were overwriting the context for SELinux recording as well, so I added events to both.
…based recorder In addition to documenting that privileged pods can't be recorded with a log-based recorder, let's also issue an event.
d7a34f8
to
fc64b1d
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JAORMX, jhrozek, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind cleanup
/kind documentation
What this PR does / why we need it:
Which issue(s) this PR fixes:
None
Does this PR have test?
No
Special notes for your reviewer:
N/A
Does this PR introduce a user-facing change?