correct SCC to enable setting custom securityContext.seLinuxOptions.type

[felixkrohn]

I'm struggling with an issue on k8s 1.19/ocp 4.6 where I might need some grand wizardry of SELinux & k8s to get some insight where to dig further. The examples here work fine, I can create the policy, it gets applied to the node, I can create the pod, the policy is applied and it runs just fine. However, as soon as I modify the pod YAML to create a Deployment/DeploymentConfig and these in turn create a ReplicaSet/ReplicationController I get errors:

spec.containers[0].securityContext.seLinuxOptions.level: Invalid value: "": must be s0:c27,c19 spec.containers[0].securityContext.seLinuxOptions.type: Invalid value: "errorlogger_namespace.process": must be ] no matter if the securityContext is defined at pod or container level.

Interestingly this works however if I give the pod's serviceAccount "privileged" SCC/PSP access (which of course is the exact opposite of what I'd like to do)

Did you ever encounter this issue? any pointers in which direction to dig? (I haven't yet tried if the same issue occurs with SPO, but assume this might be the case if the same fields are used)

[JAORMX]

@felixkrohn to set a custom Seccomp or SELinux profile, you need to use the privileged SCC. There's no way around that right now. That's part of what we're trying to fix in https://github.com/openshift/enhancements/pull/745 by introducing the measured SCC.