Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't load security-profiles-operator as dependancy of another operator #2699

Closed
Billy99 opened this issue Jan 27, 2025 · 0 comments · Fixed by #2746
Closed

can't load security-profiles-operator as dependancy of another operator #2699

Billy99 opened this issue Jan 27, 2025 · 0 comments · Fixed by #2746
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Billy99
Copy link
Contributor

Billy99 commented Jan 27, 2025

With the security-profiles-operator.v0.8.6

What happened:

bpfman-operator has a dependency on security-profiles-operator. When loaded as a dependency through OperatorHub, security-profiles-operator is loaded in the bpfman namespace. When this happens, any created SelinuxProfile stays in the Pending State:

SelinuxProfile in Pending State 
$ kubectl get selinuxprofiles -A
NAMESPACE        NAME            USAGE                                  STATE
go-xdp-counter   bpfman-secure   bpfman-secure_go-xdp-counter.process   Pending

$ kubectl get selinuxprofiles -n go-xdp-counter bpfman-secure -o yaml
apiVersion: security-profiles-operator.x-k8s.io/v1alpha2
kind: SelinuxProfile
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"security-profiles-operator.x-k8s.io/v1alpha2","kind":"SelinuxProfile","metadata":{"annotations":{},"name":"bpfman-secure","namespace":"go-xdp-counter"},"spec":{"allow":{"@self":{"bpf":["map_read","map_write"]},"spc_t":{"bpf":["map_read","map_write"]}},"inherit":[{"kind":"System","name":"container"}]}}
  creationTimestamp: "2025-01-27T18:58:53Z"
  finalizers:
  - ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc-deleted
  - in-use-by-active-pods
  - ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx-deleted
  - ci-ln-d2gf6m2-72292-c599v-worker-a-hjrdw-deleted
  - ci-ln-d2gf6m2-72292-c599v-master-1-deleted
  - ci-ln-d2gf6m2-72292-c599v-master-0-deleted
  - ci-ln-d2gf6m2-72292-c599v-master-2-deleted
  generation: 1
  labels:
    spo.x-k8s.io/profile-id: SelinuxProfile-bpfman-secure
  name: bpfman-secure
  namespace: go-xdp-counter
  resourceVersion: "47239"
  uid: c5899d96-12c5-4b61-996a-3e3796025c76
spec:
  allow:
    '@self':
      bpf:
      - map_read
      - map_write
    spc_t:
      bpf:
      - map_read
      - map_write
  disabled: false
  inherit:
  - kind: System
    name: container
  permissive: false
status:
  activeWorkloads:
  - go-xdp-counter/go-xdp-counter-ds-mr44k
  - go-xdp-counter/go-xdp-counter-ds-bbghn
  - go-xdp-counter/go-xdp-counter-ds-zjrjz
  - go-xdp-counter/go-xdp-counter-ds-gcrws
  - go-xdp-counter/go-xdp-counter-ds-ggjqj
  - go-xdp-counter/go-xdp-counter-ds-szgcx
  conditions:
  - lastTransitionTime: "2025-01-27T18:58:54Z"
    reason: Creating
    status: "False"
    type: Ready
  status: Pending
  usage: bpfman-secure_go-xdp-counter.process

It appears that the function getDS() is searching for the DaemonSet with a label of "spod".

security-profiles-operator/internal/pkg/manager/nodestatus/nodestatus.go

Line 250 in 4dd6f55

spodDSFilter, err := labels.NewRequirement("spod", selection.Exists, []string{})

However, the r.client.List() call is returning all DaemonSets in the Namespace. I'm not sure why the LabelSelector is being ignored, but if it wasn't, the spod DaemonSet does not have any labels so the LabelSelector wouldn't have found anything anyway.

Because the getDS() call fails to find the spod DaemonSet, the reconciler bails and fails reconcile fully.

security-profiles-operator Logs 

$ kubectl logs -n bpfman security-profiles-operator-55744477b8-s59kn -f
I0127 18:52:52.132673       1 main.go:263] "Set logging verbosity to 0"
I0127 18:52:52.133511       1 main.go:269] "Profiling support enabled: false"
I0127 18:52:52.133604       1 main.go:289] "starting component: security-profiles-operator" logger="setup" version="0.8.4" gitCommit="unknown" gitCommitDate="unknown" gitTreeState="clean" buildDate="2024-12-05T09:06:06Z" goVersion="go1.21.13 (Red Hat 1.21.13-3.module+el8.10.0+22345+acdd8d0e)" compiler="gc" platform="linux/amd64" libseccomp="2.5.2" libbpf="none" buildTags="netgo,osusergo,seccomp,no_bpf" ldFlags="unknown" cgoldFlags="unknown" dependencies="cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=,cuelabs.dev/go/oci/ociregistry v0.0.0-20231103182354-93e78c079a13 h1:zkiIe8AxZ/kDjqQN+mDKc5BxoVJOqioSdqApjc+eB1I=,cuelang.org/go v0.7.0 h1:gMztinxuKfJwMIxtboFsNc6s8AxwJGgsJV+3CuLffHI=,filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=,github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 h1:8+4G8JaejP8Xa6W46PzJEwisNgBXMvFcz78N6zG/ARw=,github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=,github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=,github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=,github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=,github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=,github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=,github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=,github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=,github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=,github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c h1:kMFnB0vCcX7IL/m9Y5LO+KQYv+t1CQOiFe6+SV2J7bE=,github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=,github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 h1:iC9YFYKDGEy3n/FtqJnOkZsene9olVspKmkX5A2YBEo=,github.com/alibabacloud-go/cr-20160607 v1.0.1 h1:WEnP1iPFKJU74ryUKh/YDPHoxMZawqlPajOymyNAkts=,github.com/alibabacloud-go/cr-20181201 v1.0.10 h1:B60f6S1imsgn2fgC6X6FrVNrONDrbCT0NwYhsJ0C9/c=,github.com/alibabacloud-go/darabonba-openapi v0.2.1 h1:WyzxxKvhdVDlwpAMOHgAiCJ+NXa6g5ZWPFEzaK/ewwY=,github.com/alibabacloud-go/debug v1.0.0 h1:3eIEQWfay1fB24PQIEzXAswlVJtdQok8f3EVN5VrBnA=,github.com/alibabacloud-go/endpoint-util v1.1.1 h1:ZkBv2/jnghxtU0p+upSU0GGzW1VL9GQdZO3mcSUTUy8=,github.com/alibabacloud-go/openapi-util v0.1.0 h1:0z75cIULkDrdEhkLWgi9tnLe+KhAFE/r5Pb3312/eAY=,github.com/alibabacloud-go/tea v1.2.1 h1:rFF1LnrAdhaiPmKwH5xwYOKlMh66CqRwPUTzIK74ask=,github.com/alibabacloud-go/tea-utils v1.4.5 h1:h0/6Xd2f3bPE4XHTvkpjwxowIwRCJAJOqY6Eq8f3zfA=,github.com/alibabacloud-go/tea-xml v1.1.3 h1:7LYnm+JbOq2B+T/B0fHC4Ies4/FofC4zHzYtqw7dgt0=,github.com/aliyun/credentials-go v1.3.1 h1:uq/0v7kWrxmoLGpqjx7vtQ/s03f0zR//0br/xWDTE28=,github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=,github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=,github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg=,github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao=,github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI=,github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM=,github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU=,github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=,github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE=,github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=,github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=,github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc=,github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8=,github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM=,github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg=,github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=,github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=,github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=,github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=,github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=,github.com/buildkite/agent/v3 v3.62.0 h1:yvzSjI8Lgifw883I8m9u8/L/Thxt4cLFd5aWPn3gg70=,github.com/buildkite/go-pipeline v0.3.2 h1:SW4EaXNwfjow7xDRPGgX0Rcx+dPj5C1kV9LKCLjWGtM=,github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 h1:k6UDF1uPYOs0iy1HPeotNa155qXRWrzKnqAaGXHLZCE=,github.com/cert-manager/cert-manager v1.14.5 h1:uuM1O2g2S80nxiH3eW2cZYMGiL2zmDFVdAzg8sibWuc=,github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=,github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4=,github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=,github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=,github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg=,github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=,github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=,github.com/containers/common v0.59.0 h1:fy9Jz0B7Qs1C030bm73YJtVddaiFSZD3558EV1tgN2g=,github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=,github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=,github.com/cyberphone/json-canonicalization v0.0.0-20231217050601-ba74d44ecf5f h1:eHnXnuK47UlSTOQexbzxAZfekVz6i+LKRdj1CU5DPaM=,github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=,github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 h1:ge14PCmCvPjpMQMIAH7uKg0lrtNSOdpYsRXlwk3QbaE=,github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 h1:lxmTCgmHE1GUYL7P0MlNa00M67axePTq+9nBSGddR8I=,github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=,github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg=,github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=,github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=,github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=,github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=,github.com/emicklei/proto v1.12.1 h1:6n/Z2pZAnBwuhU66Gs8160B8rrrYKo7h2F2sCOnNceE=,github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro=,github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=,github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=,github.com/go-chi/chi v4.1.2+incompatible h1:fGFk2Gmi/YKXk0OmGfBh0WgmN3XB8lVnEyNz34tQRec=,github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=,github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=,github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=,github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=,github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=,github.com/go-openapi/analysis v0.23.0 h1:aGday7OWupfMs+LbmLZG4k0MYXIANxcuBTYUC03zFCU=,github.com/go-openapi/errors v0.22.0 h1:c4xY/OLxUBSTiepAg3j/MHuAv5mJhnf53LLMWFB+u/w=,github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=,github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=,github.com/go-openapi/loads v0.22.0 h1:ECPGd4jX1U6NApCGG1We+uEozOAvXvJSF4nnwHZ8Aco=,github.com/go-openapi/runtime v0.28.0 h1:gpPPmWSNGo214l6n8hzdXYhPuJcGtziTOgUpvsFWGIQ=,github.com/go-openapi/spec v0.21.0 h1:LTVzPc3p/RzRnkQqLRndbAzjY0d0BCL72A6j3CdL9ZY=,github.com/go-openapi/strfmt v0.23.0 h1:nlUS6BCqcnAk0pyhi9Y+kdDVZdZMHfEKQiS4HaMgO/c=,github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=,github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=,github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=,github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=,github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=,github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=,github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=,github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=,github.com/google/certificate-transparency-go v1.1.8 h1:LGYKkgZF7satzgTak9R4yzfJXEeYVAjV6/EAEJOf1to=,github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 h1:0VpGH+cDhbDtdcweoyCVsF3fhN8kejK6rFe/2FFX2nU=,github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=,github.com/google/go-containerregistry v0.19.1 h1:yMQ62Al6/V0Z7CqIrrS1iYoA5/oQCm88DeNujc7C1KY=,github.com/google/go-github/v55 v55.0.0 h1:4pp/1tNMB9X/LuAhs5i0KQAE40NmiR/y6prLNb9x9cg=,github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=,github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=,github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=,github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=,github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=,github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=,github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=,github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=,github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=,github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=,github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=,github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY=,github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE=,github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=,github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=,github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=,github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=,github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 h1:WGrKdjHtWC67RX96eTkYD2f53NDHhrq/7robWTAfk4s=,github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=,github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=,github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=,github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=,github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=,github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=,github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=,github.com/mozillazg/docker-credential-acr-helper v0.3.0 h1:DVWFZ3/O8BP6Ue3iS/Olw+G07u1hCq1EOVCDZZjCIBI=,github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de h1:D5x39vF5KCwKQaw+OC9ZPiLVHXz3UFw2+psEX+gYcto=,github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=,github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=,github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=,github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=,github.com/oleiade/reflections v1.0.1 h1:D1XO3LVEYroYskEsoSiGItp9RUxG6jWnCVvrqH0HHQM=,github.com/open-policy-agent/opa v0.61.0 h1:nhncQ2CAYtQTV/SMBhDDPsCpCQsUW+zO/1j+T5V7oZg=,github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=,github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=,github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=,github.com/openshift/api v0.0.0-20221205111557-f2fbb1d1cd5e h1:a0EWi14QFqKNzQUrML8K800Ko+dttLPuMGQOCVIDCDY=,github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=,github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=,github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=,github.com/pjbgf/go-apparmor v0.1.2 h1:FvMwkThr/XjL3PLAmzpW+p+OcaUWWi92hRi9uc7BdQg=,github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=,github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.74.0 h1:AHzMWDxNiAVscJL6+4wkvFRTpMnJqiaZFEKA/osaBXE=,github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=,github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=,github.com/prometheus/common v0.51.1 h1:eIjN50Bwglz6a/c3hAgSMcofL3nD+nFQkV6Dd4DsQCw=,github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=,github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62zIzQwvoD7Ekj3ePDF5bv9Xxy0w6AZk0qYbjUk=,github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=,github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=,github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=,github.com/sassoftware/relic v7.2.1+incompatible h1:Pwyh1F3I0r4clFJXkSI8bOyJINGqpgjJU3DYAZeI05A=,github.com/seccomp/libseccomp-golang v0.10.0 h1:aA4bp+/Zzi0BnWZ2F1wgNBs5gTpm+na2rWM6M9YjLpY=,github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=,github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=,github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=,github.com/sigstore/cosign/v2 v2.2.3 h1:WX7yawI+EXu9h7S5bZsfYCbB9XW6Jc43ctKy/NoOSiA=,github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=,github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=,github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4=,github.com/sigstore/timestamp-authority v1.2.1 h1:j9RmqSAdvKgSofeltPO4x7d+1M3AXaROBzUJ+AA7L5Q=,github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=,github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=,github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=,github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=,github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=,github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=,github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=,github.com/spiffe/go-spiffe/v2 v2.1.7 h1:VUkM1yIyg/x8X7u1uXqSRVRCdMdfRIEdFBzpqoeASGk=,github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=,github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d h1:vfofYNRScrDdvS342BElfbETmL1Aiz3i2t0zfRj16Hs=,github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=,github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=,github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=,github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=,github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=,github.com/urfave/cli/v2 v2.27.1 h1:8xSQ6szndafKVRmfyeUMxkNUJQMjL1F2zmsZ+qHpfho=,github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=,github.com/xanzy/go-gitlab v0.96.0 h1:LGkZ+wSNMRtHIBaYE4Hq3dZVjprwHv3Y1+rhKU3WETs=,github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=,github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=,github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=,github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg=,github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs=,go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80=,go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=,go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk=,go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo=,go.opentelemetry.io/otel/metric v1.24.0 h1:6EhoGWWK28x1fbpA4tYTOWBkPefTDQnb8WSGXlc88kI=,go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=,go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y1YELI=,go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=,go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=,go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=,golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=,golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=,golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=,golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=,golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=,golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=,golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=,golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=,golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=,golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=,gomodules.xyz/jsonpatch/v2 v2.4.0 h1:Ci3iUJyx9UeRx7CeFN8ARgGbkESwJK+KB9lLcWxY/Zw=,google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk=,google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 h1:NnYq6UN9ReLM9/Y01KWNOWyI5xQ9kbIms5GGJVwS/Yc=,google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=,google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=,gopkg.in/go-jose/go-jose.v2 v2.6.3 h1:nt80fvSDlhKWQgSWyHyy5CfmlQr+asih51R8PTWNKKs=,gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=,gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=,gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=,gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=,gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=,k8s.io/api v0.29.5 h1:levS+umUigHCfI3riD36pMY1vQEbrzh4r1ivVWAhHaI=,k8s.io/apiextensions-apiserver v0.29.5 h1:njDywexhE6n+1NEl3A4axT0TMQHREnndrk3/ztdWcNE=,k8s.io/apimachinery v0.29.5 h1:Hofa2BmPfpoT+IyDTlcPdCHSnHtEQMoJYGVoQpRTfv4=,k8s.io/client-go v0.29.5 h1:nlASXmPQy190qTteaVP31g3c/wi2kycznkTP7Sv1zPc=,k8s.io/component-base v0.29.5 h1:Ptj8AzG+p8c2a839XriHwxakDpZH9uvIgYz+o1agjg8=,k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=,k8s.io/kube-openapi v0.0.0-20240103051144-eec4567ac022 h1:avRdiaB03v88Mfvum2S3BBwkNuTlmuar4LlfO9Hajko=,k8s.io/utils v0.0.0-20240310230437-4693a0247e57 h1:gbqbevonBh57eILzModw6mrkbwM0gQBEuevE/AaBsHY=,oras.land/oras-go/v2 v2.4.0 h1:i+Wt5oCaMHu99guBD0yuBjdLvX7Lz8ukPbwXdR7uBMs=,sigs.k8s.io/controller-runtime v0.17.3 h1:65QmN7r3FWgTxDMz9fvGnO1kbf2nu+acg9p2R9oYYYk=,sigs.k8s.io/gateway-api v1.0.0 h1:iPTStSv41+d9p0xFydll6d7f7MOBGuqXM6p2/zVYMAs=,sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=,sigs.k8s.io/release-utils v0.8.1 h1:qSA9p3vZzO6RAq7zvzupCZjR29+n3NK9DSJPe9bSf7w=,sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=,sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E="
I0127 18:52:52.134985       1 main.go:368] "watching all namespaces" logger="setup"
I0127 18:52:52.164464       1 setup.go:174] "matched selinuxd image against nodeInfo" logger="spod-config" image="registry.redhat.io/compliance/openshift-selinuxd-rhel9@sha256:e70bc58c180655b98f5f1cda84d1314f57f9df919cd184183d91544e26849dd0"
I0127 18:52:52.198076       1 main.go:351] "starting manager" logger="setup"
I0127 18:52:52.198214       1 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I0127 18:52:52.198718       1 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I0127 18:52:52.412354       1 leaderelection.go:250] attempting to acquire leader lease bpfman/security-profiles-operator-lock...
I0127 18:52:52.448006       1 leaderelection.go:260] successfully acquired lease bpfman/security-profiles-operator-lock
I0127 18:52:52.448561       1 controller.go:178] "Starting EventSource" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" source="kind source: *v1alpha1.SecurityProfileNodeStatus"
I0127 18:52:52.448598       1 controller.go:178] "Starting EventSource" controller="pods" controllerGroup="" controllerKind="Pod" source="kind source: *v1.Pod"
I0127 18:52:52.448767       1 controller.go:186] "Starting Controller" controller="pods" controllerGroup="" controllerKind="Pod"
I0127 18:52:52.448681       1 controller.go:178] "Starting EventSource" controller="spod-config" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfilesOperatorDaemon" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I0127 18:52:52.448720       1 controller.go:178] "Starting EventSource" controller="policymerger" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="ProfileRecording" source="kind source: *v1alpha1.ProfileRecording"
I0127 18:52:52.448845       1 controller.go:186] "Starting Controller" controller="policymerger" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="ProfileRecording"
I0127 18:52:52.448903       1 controller.go:178] "Starting EventSource" controller="spod-config" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfilesOperatorDaemon" source="kind source: *v1.DaemonSet"
I0127 18:52:52.448952       1 controller.go:186] "Starting Controller" controller="spod-config" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfilesOperatorDaemon"
I0127 18:52:52.448673       1 controller.go:186] "Starting Controller" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus"
I0127 18:52:52.549185       1 controller.go:220] "Starting workers" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" worker count=1
I0127 18:52:52.549180       1 controller.go:220] "Starting workers" controller="policymerger" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="ProfileRecording" worker count=1
I0127 18:52:52.553352       1 controller.go:220] "Starting workers" controller="pods" controllerGroup="" controllerKind="Pod" worker count=1
I0127 18:52:52.553447       1 controller.go:220] "Starting workers" controller="spod-config" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfilesOperatorDaemon" worker count=1
I0127 18:52:52.553665       1 spod_controller.go:244] "Adding an initial status to the SPOD instance" logger="spod-config" profile="spod" namespace="bpfman"
I0127 18:52:52.770539       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:52:52.770737       1 spod_controller.go:325] "Deploying operator webhook" logger="spod-config"
I0127 18:52:52.806786       1 warning_handler.go:65] "spec.template.metadata.annotations[seccomp.security.alpha.kubernetes.io/pod]: non-functional in v1.27+; use the \"seccompProfile\" field instead" logger="KubeAPIWarningLogger"
I0127 18:52:52.889013       1 spod_controller.go:331] "Creating operator resources" logger="spod-config"
I0127 18:52:52.889050       1 spod_controller.go:336] "Deploying operator daemonset" logger="spod-config"
I0127 18:52:52.941367       1 spod_controller.go:344] "Deploying operator default profiles" logger="spod-config"
I0127 18:52:52.941516       1 spod_controller.go:359] "Deploying metrics service" logger="spod-config"
I0127 18:52:53.006048       1 spod_controller.go:367] "Deploying operator service monitor" logger="spod-config"
I0127 18:52:53.043522       1 spod_controller.go:259] "Adding 'Creating' status to the SPOD instance" logger="spod-config" profile="spod" namespace="bpfman"
I0127 18:52:53.058990       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:52:53.160249       1 spod_controller.go:298] "Adding 'Running' status to the SPOD instance" logger="spod-config" profile="spod" namespace="bpfman"
I0127 18:52:53.182914       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:53:46.477001       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:54:13.486325       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:54:40.495637       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:55:07.504997       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:55:34.514313       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:56:01.523880       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:56:28.533487       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:56:55.542376       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:57:22.551199       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:57:49.561005       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:58:16.570399       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"
I0127 18:58:43.580133       1 ca.go:59] "Using OpenShift as certificate provider" logger="spod-config"

<SELINUX-PROFILE CREATED>

I0127 18:58:54.026264       1 nodestatus.go:134] "Initializing Profile status" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile"
E0127 18:58:54.037972       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.038063       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="0c724904-41a8-4532-9955-30182276873a"
E0127 18:58:54.043615       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.043844       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="04469f06-a659-4126-bc56-fa7253db4266"
E0127 18:58:54.054561       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.054702       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="0353062f-6df9-4053-8a4e-cfcd54bedaf5"
E0127 18:58:54.075507       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.075574       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="b44097f9-d4bf-4c5c-be2f-d86056ea948d"
E0127 18:58:54.116140       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.116222       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="af3ffaa5-f1d5-458f-bee9-35106f2b4543"
E0127 18:58:54.196829       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.196910       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="7cc92b61-5b3c-42ec-a597-1ba12f75a1c7"
I0127 18:58:54.310588       1 warning_handler.go:65] "metadata.finalizers: \"in-use-by-active-pods\": prefer a domain-qualified finalizer name to avoid accidental conflicts with other finalizer writers" logger="KubeAPIWarningLogger"
E0127 18:58:54.357606       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.357687       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-b-g6zkc" reconcileID="f3f2652d-60be-4673-9bda-43e8e1258215"
E0127 18:58:54.528487       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.528726       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" reconcileID="d58bc613-4009-4a97-8970-ac692605dac3"
E0127 18:58:54.534452       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.534537       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" reconcileID="9a165c80-7b19-4580-a9b8-f352628c1b56"
E0127 18:58:54.545282       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.545369       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" reconcileID="f5609e9c-8117-4d2e-87fc-ed95e5fec466"
E0127 18:58:54.561800       1 nodestatus.go:267] "Expected to find 1 DS" err="did not find exactly one DS" logger="nodestatus" nodeStatus="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" Profile.Name="bpfman-secure" Profile.Namespace="go-xdp-counter" Profile.Kind="security-profiles-operator.x-k8s.io/v1alpha2, Kind=SelinuxProfile" len(dsList.Items)=2
E0127 18:58:54.561918       1 controller.go:329] "Reconciler error" err="cannot get the DS: listing DS: did not find exactly one DS" controller="nodestatus" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SecurityProfileNodeStatus" SecurityProfileNodeStatus="go-xdp-counter/bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" namespace="go-xdp-counter" name="bpfman-secure-ci-ln-d2gf6m2-72292-c599v-worker-c-sgxmx" reconcileID="2da56db9-c0cd-42b0-834e-5b11abacf827"
:
<LOGS JUST REPEAT>
spod DaemonSet 

$ kubectl get daemonsets -n bpfman
NAME            DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR            AGE
bpfman-daemon   6         6         6       6            6           <none>                   13m
spod            6         6         6       6            6           kubernetes.io/os=linux   13m

$ kubectl get daemonsets -n bpfman spod -o yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  annotations:
    deprecated.daemonset.template.generation: "1"
  creationTimestamp: "2025-01-27T18:52:52Z"
  generation: 1
  name: spod
  namespace: bpfman
  ownerReferences:
  - apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: SecurityProfilesOperatorDaemon
    name: spod
    uid: a55d7957-7564-4151-91bc-4224d4db5cd8
  resourceVersion: "42961"
  uid: 825af3d7-3e4a-4d43-bc0e-a5f8625f3bd4
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: security-profiles-operator
      name: spod
  template:
    metadata:
      annotations:
        openshift.io/scc: privileged
      creationTimestamp: null
      labels:
        app: security-profiles-operator
        name: spod
    spec:
      containers:
      - args:
        - daemon
        - --with-selinux=true
        - --with-recording=false
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: OPERATOR_NAMESPACE
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
        - name: SPOD_NAME
          value: spod
        - name: KUBELET_DIR
          value: /var/lib/kubelet
        - name: HOME
          value: /home
        - name: SPO_VERBOSITY
          value: "0"
        image: registry.redhat.io/compliance/openshift-security-profiles-rhel8-operator@sha256:c18e3ec3851f3f11f69b990a4890b9fed8fe9d5c4d769857db623e56ff03bac6
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 1
          httpGet:
            path: /healthz
            port: liveness-port
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: security-profiles-operator
        ports:
        - containerPort: 8085
          name: liveness-port
          protocol: TCP
        resources:
          limits:
            ephemeral-storage: 200Mi
            memory: 128Mi
          requests:
            cpu: 100m
            ephemeral-storage: 50Mi
            memory: 64Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsGroup: 65535
          runAsUser: 65535
          seLinuxOptions:
            type: spc_t
          seccompProfile:
            localhostProfile: security-profiles-operator.json
            type: Localhost
        startupProbe:
          failureThreshold: 10
          httpGet:
            path: /healthz
            port: liveness-port
            scheme: HTTP
          periodSeconds: 3
          successThreshold: 1
          timeoutSeconds: 1
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/lib/kubelet/seccomp/operator
          name: host-operator-volume
        - mountPath: /etc/selinux.d
          name: selinux-drop-dir
        - mountPath: /var/run/selinuxd
          name: selinuxd-private-volume
        - mountPath: /tmp/security-profiles-operator-recordings
          name: profile-recording-output-volume
        - mountPath: /var/run/grpc
          name: grpc-server-volume
        - mountPath: /home
          name: home-volume
        - mountPath: /tmp
          name: tmp-volume
      - args:
        - daemon
        - --datastore-path
        - /var/run/selinuxd/selinuxd.db
        - --socket-path
        - /var/run/selinuxd/selinuxd.sock
        - --socket-uid
        - "0"
        - --socket-gid
        - "65535"
        env:
        - name: KUBELET_DIR
          value: /var/lib/kubelet
        - name: SPO_VERBOSITY
          value: "0"
        image: registry.redhat.io/compliance/openshift-selinuxd-rhel9@sha256:e70bc58c180655b98f5f1cda84d1314f57f9df919cd184183d91544e26849dd0
        imagePullPolicy: Always
        name: selinuxd
        resources:
          limits:
            ephemeral-storage: 400Mi
            memory: 1Gi
          requests:
            cpu: 100m
            ephemeral-storage: 200Mi
            memory: 512Mi
        securityContext:
          capabilities:
            add:
            - CHOWN
            - FOWNER
            - FSETID
            - DAC_OVERRIDE
          readOnlyRootFilesystem: true
          runAsGroup: 0
          runAsUser: 0
          seLinuxOptions:
            type: spc_t
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/selinux.d
          name: selinux-drop-dir
          readOnly: true
        - mountPath: /var/run/selinuxd
          name: selinuxd-private-volume
        - mountPath: /sys/fs/selinux
          name: host-fsselinux-volume
        - mountPath: /etc/selinux
          name: host-etcselinux-volume
        - mountPath: /var/lib/selinux
          name: host-varlibselinux-volume
      - args:
        - --secure-listen-address=0.0.0.0:9443
        - --upstream=http://127.0.0.1:8080
        - --v=10
        - --tls-cert-file=/var/run/secrets/metrics/tls.crt
        - --tls-private-key-file=/var/run/secrets/metrics/tls.key
        - --http2-disable
        image: registry.redhat.io/openshift4/ose-kube-rbac-proxy@sha256:1172e150fff22c5eeab572f26961f3f53fbf896ee76d08c7503cfe2777c55458
        imagePullPolicy: IfNotPresent
        name: metrics
        ports:
        - containerPort: 9443
          name: https
          protocol: TCP
        resources:
          limits:
            ephemeral-storage: 20Mi
            memory: 128Mi
          requests:
            cpu: 50m
            ephemeral-storage: 10Mi
            memory: 32Mi
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/secrets/metrics
          name: metrics-cert-volume
          readOnly: true
      dnsPolicy: ClusterFirst
      initContainers:
      - args:
        - non-root-enabler
        - --runtime=cri-o
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: KUBELET_DIR
          value: /var/lib/kubelet
        - name: SPO_VERBOSITY
          value: "0"
        image: registry.redhat.io/compliance/openshift-security-profiles-rhel8-operator@sha256:c18e3ec3851f3f11f69b990a4890b9fed8fe9d5c4d769857db623e56ff03bac6
        imagePullPolicy: Always
        name: non-root-enabler
        resources:
          limits:
            ephemeral-storage: 50Mi
            memory: 64Mi
          requests:
            cpu: 100m
            ephemeral-storage: 10Mi
            memory: 32Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - CHOWN
            - FOWNER
            - FSETID
            - DAC_OVERRIDE
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsUser: 0
          seLinuxOptions:
            type: spc_t
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/lib
          name: host-varlib-volume
        - mountPath: /opt/spo-profiles
          name: operator-profiles-volume
          readOnly: true
        - mountPath: /host
          name: host-root-volume
        - mountPath: /var/run/secrets/metrics
          name: metrics-cert-volume
      - args:
        - |
          set -x
          chown 65535:0 /etc/selinux.d
          chmod 750 /etc/selinux.d
          semodule -i /usr/share/selinuxd/templates/*.cil
          semodule -i /opt/spo-profiles/selinuxd.cil
          semodule -i /opt/spo-profiles/selinuxrecording.cil
        command:
        - bash
        - -c
        env:
        - name: KUBELET_DIR
          value: /var/lib/kubelet
        - name: SPO_VERBOSITY
          value: "0"
        image: registry.redhat.io/compliance/openshift-selinuxd-rhel9@sha256:e70bc58c180655b98f5f1cda84d1314f57f9df919cd184183d91544e26849dd0
        imagePullPolicy: Always
        name: selinux-shared-policies-copier
        resources:
          limits:
            ephemeral-storage: 50Mi
            memory: 1Gi
          requests:
            cpu: 100m
            ephemeral-storage: 10Mi
            memory: 32Mi
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            add:
            - CHOWN
            - FOWNER
            - FSETID
            - DAC_OVERRIDE
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsUser: 0
          seLinuxOptions:
            type: spc_t
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/selinux.d
          name: selinux-drop-dir
        - mountPath: /opt/spo-profiles
          name: operator-profiles-volume
          readOnly: true
        - mountPath: /sys/fs/selinux
          name: host-fsselinux-volume
        - mountPath: /etc/selinux
          name: host-etcselinux-volume
        - mountPath: /var/lib/selinux
          name: host-varlibselinux-volume
      nodeSelector:
        kubernetes.io/os: linux
      priorityClassName: system-node-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      serviceAccount: spod
      serviceAccountName: spod
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      - effect: NoExecute
        key: node.kubernetes.io/not-ready
        operator: Exists
      volumes:
      - hostPath:
          path: /var/lib
          type: Directory
        name: host-varlib-volume
      - hostPath:
          path: /var/lib/security-profiles-operator
          type: DirectoryOrCreate
        name: host-operator-volume
      - configMap:
          defaultMode: 420
          name: security-profiles-operator-profile
        name: operator-profiles-volume
      - emptyDir: {}
        name: selinux-drop-dir
      - emptyDir: {}
        name: selinuxd-private-volume
      - hostPath:
          path: /sys/fs/selinux
          type: Directory
        name: host-fsselinux-volume
      - hostPath:
          path: /etc/selinux
          type: Directory
        name: host-etcselinux-volume
      - hostPath:
          path: /var/lib/selinux
          type: Directory
        name: host-varlibselinux-volume
      - hostPath:
          path: /tmp/security-profiles-operator-recordings
          type: DirectoryOrCreate
        name: profile-recording-output-volume
      - hostPath:
          path: /var/log/audit
          type: DirectoryOrCreate
        name: host-auditlog-volume
      - hostPath:
          path: /var/log
          type: DirectoryOrCreate
        name: host-syslog-volume
      - name: metrics-cert-volume
        secret:
          defaultMode: 420
          secretName: metrics-server-cert
      - hostPath:
          path: /sys/kernel/debug
          type: Directory
        name: sys-kernel-debug-volume
      - hostPath:
          path: /etc/os-release
          type: File
        name: host-etc-osrelease-volume
      - emptyDir: {}
        name: tmp-volume
      - emptyDir: {}
        name: grpc-server-volume
      - hostPath:
          path: /
          type: Directory
        name: host-root-volume
      - emptyDir: {}
        name: home-volume
  updateStrategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 100%
    type: RollingUpdate
status:
  currentNumberScheduled: 6
  desiredNumberScheduled: 6
  numberAvailable: 6
  numberMisscheduled: 0
  numberReady: 6
  observedGeneration: 1
  updatedNumberScheduled: 6

What you expected to happen:

security-profiles-operator to load properly and the SelinuxPolicy to go to the Installed state.

How to reproduce it (as minimally and precisely as possible):

Load security-profiles-operator in a namespace that has another DaemonSet. bpdman-operator has a dependency to pull in the security-profiles-operator (https://github.com/bpfman/bpfman-operator/blob/main/bundle/metadata/dependencies.yaml) which caused them to load in the same namespace, but loading any DaemonSet in the same namespace as security-profiles-operator then creating a SelinuxProfile should reproduce the issue.

Anything else we need to know?:

If I manually load security-profiles-operator from OperatorHub, it gets created in it's own namespace and when the SelinuxProfile is created, it goes ot the Installed state as expected.

Environment:

  • Cloud provider or hardware configuration: OCP on GCP
  • OS (e.g: cat /etc/os-release):
sh-5.1# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="9.4 (Plow)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Red Hat Enterprise Linux 9.4 (Plow)"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:redhat:enterprise_linux:9::baseos"
HOME_URL="https://www.redhat.com/"
DOCUMENTATION_URL="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9"
BUG_REPORT_URL="https://issues.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_BUGZILLA_PRODUCT_VERSION=9.4
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
  • Kernel (e.g. uname -a):
sh-5.1# uname -a
Linux ci-ln-jdyin4t-72292-tqgkv-master-0 5.14.0-427.52.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Jan 17 15:44:08 EST 2025 x86_64 x86_64 x86_64 GNU/Linux
  • Others:
@Billy99 Billy99 added the kind/bug Categorizes issue or PR as related to a bug. label Jan 27, 2025
Billy99 added a commit to Billy99/bpfman-operator that referenced this issue Feb 11, 2025
@Billy99
remove dependency on security-profiles-operator

Verified

This commit was signed with the committer’s verified signature.
klauspost Klaus Post
GPG key ID: BAA2096BE0B8A075
Verified
Learn about vigilant mode
0b9e8f2 
After deploying the selinux profile, the status on the Selinux Profile
is “Pending”. security-profiles-operator is currently deployed in
OpenShift by making it a dependency of bpfman-operator. As a result, the
security-profiles-operator is deployed in the bpfman namespace.
security-profiles-operator encounters issues with this because there are
other daemonsets in the namespace. Short term, remove the dependency.
security-profiles-operator is still required, it just won't be
auto-installed.

Related: bpfman#331
Related: kubernetes-sigs/security-profiles-operator#2699

Signed-off-by: Billy McFall <22157057+Billy99@users.noreply.github.com>
This was referenced Feb 11, 2025
Open
Open
Billy99 added a commit to Billy99/bpfman-operator that referenced this issue Feb 13, 2025
@Billy99
remove dependency on security-profiles-operator
c0fc24c 
After deploying the selinux profile, the status on the Selinux Profile
is “Pending”. security-profiles-operator is currently deployed in
OpenShift by making it a dependency of bpfman-operator. As a result, the
security-profiles-operator is deployed in the bpfman namespace.
security-profiles-operator encounters issues with this because there are
other daemonsets in the namespace. Short term, remove the dependency.
security-profiles-operator is still required, it just won't be
auto-installed.

Related: bpfman#331
Related: kubernetes-sigs/security-profiles-operator#2699

Signed-off-by: Billy McFall <22157057+Billy99@users.noreply.github.com>
Billy99 added a commit to Billy99/security-profiles-operator that referenced this issue Feb 28, 2025
@Billy99
can't load security-profiles-operator as dependancy of another operator
fc15d19 
When loaded through OperatorHub as a dependency of another operator,
security-profiles-operator is loaded in the namespace of the other operator.
When this happens, any created SelinuxProfile stays in the Pending State.

It appears that the function getDS() is searching for the DaemonSet with
a label of "spod". However, the r.client.List() call is returning all
DaemonSets in the Namespace and bailing because it found more than one.

This commit changes the logic to call Get() instead of GetList().

Resolves: kubernetes-sigs#2699

Signed-off-by: Billy McFall <22157057+Billy99@users.noreply.github.com>
@Billy99 Billy99 mentioned this issue Feb 28, 2025
Merged
Billy99 added a commit to Billy99/security-profiles-operator that referenced this issue Feb 28, 2025
@Billy99
can't load security-profiles-operator as dependancy of another operator
5d27dc8 
When loaded through OperatorHub as a dependency of another operator,
security-profiles-operator is loaded in the namespace of the other operator.
When this happens, any created SelinuxProfile stays in the Pending State.

It appears that the function getDS() is searching for the DaemonSet with
a label of "spod". However, the r.client.List() call is returning all
DaemonSets in the Namespace and bailing because it found more than one.

This commit changes the logic to call Get() instead of GetList().

Resolves: kubernetes-sigs#2699

Signed-off-by: Billy McFall <22157057+Billy99@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
1 participant
@Billy99