AKS eBPF recording

[sybadm]

I'm having hard time setting up eBPF recoding profiles on AKS 1.27.3

Although all SPOD's running normal with no errors I do not see the commands are getting recorded into security-profiles-operator logs --selector name=spod -c bpf-recorder

What happened:

Current SPOD settings,

kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableBpfRecorder":true}}'
kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableLogEnricher":true}}'
kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"verbosity":1}}'

test-profile-recording.yaml

apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: test-recording
spec:
  kind: SeccompProfile
  recorder: bpf
  podSelector:
    matchLabels:
      app: my-app

test-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  labels:
    app: my-app
spec:
  containers:
    - name: nginx
      image: quay.io/security-profiles-operator/test-nginx:1.19.1

$ kubectl get seccompprofile -o wide -A
NAMESPACE                    NAME                 STATUS      AGE     LOCALHOSTPROFILE
default                      log                  Installed   49m     operator/default/log.json
security-profiles-operator   log-enricher-trace   Installed   52m     operator/security-profiles-operator/log-enricher-trace.json

**I believe, I should see test-recording in above o/p?**

$ kubectl get profilerecordings -o wide
NAME             PODSELECTOR
test-recording   {"matchLabels":{"app":"my-app"}}

$ kubectl get pods
NAME        READY   STATUS                 RESTARTS   AGE
my-pod      1/1     Running                0          60m

kubectl exec -it my-pod -- bash
root@my-pod:/# mkdir test01
root@my-pod:/# mkdir test02
root@my-pod:/# exit
exit

kubectl run --rm -it --restart=Never --image=alpine --labels app=my-app alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # mkdir test-alpine01
/ # mkdir test-alpine02
/ # exit

$ kubectl -n security-profiles-operator get pods
NAME                                                  READY   STATUS    RESTARTS   AGE
security-profiles-operator-74565b6d4d-ppwxl           1/1     Running   0          17h
security-profiles-operator-74565b6d4d-sc4hk           1/1     Running   0          17h
security-profiles-operator-74565b6d4d-v8xnb           1/1     Running   0          17h
security-profiles-operator-webhook-5dc9dd486f-j2n8t   1/1     Running   0          17h
security-profiles-operator-webhook-5dc9dd486f-jwczk   1/1     Running   0          17h
security-profiles-operator-webhook-5dc9dd486f-ps977   1/1     Running   0          17h
spod-2gwcx                                            4/4     Running   0          35m
spod-757xq                                            4/4     Running   0          35m
spod-hcxzp                                            4/4     Running   0          35m
spod-kfrgr                                            4/4     Running   0          35m
spod-px9dh                                            4/4     Running   0          35m
spod-r9dg2                                            4/4     Running   0          35m
spod-t8gcb                                            4/4     Running   0          35m

Logs:

$ kubectl -n security-profiles-operator logs --selector name=spod -c bpf-recorder
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:47.975435 3943515 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:47.975462 3943515 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:47.975676 3943515 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:47.975704 3943515 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:47.976616 3943515 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:47.977024 3943515 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:47.996816 3943515 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:50.410341 1704294 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:50.410375 1704294 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:50.410743 1704294 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:50.410788 1704294 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:50.412025 1704294 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:50.412051 1704294 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:50.428735 1704294 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:50.334593 3028798 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:50.334638 3028798 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:50.335052 3028798 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:50.335097 3028798 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:50.336129 3028798 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:50.336151 3028798 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:50.354593 3028798 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:46.701211 1601561 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:46.701228 1601561 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:46.701448 1601561 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:46.701468 1601561 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:46.702179 1601561 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:46.702186 1601561 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:46.719717 1601561 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:46.911054 2755718 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:46.911078 2755718 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:46.911333 2755718 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:46.911364 2755718 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:46.912924 2755718 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:46.912936 2755718 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:46.938188 2755718 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:50.594629 3386371 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:50.594674 3386371 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:50.595077 3386371 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:50.595184 3386371 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:50.596711 3386371 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:50.596740 3386371 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:50.612239 3386371 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:38:26.010678 1723838 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:38:26.010714 1723838 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:38:26.011285 1723838 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:38:26.011354 1723838 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:38:26.013397 1723838 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:38:26.013440 1723838 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:38:26.036121 1723838 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"

$  kubectl get pods -o wide
NAME        READY   STATUS                 RESTARTS   AGE     IP             NODE                                 NOMINATED NODE   READINESS GATES
my-pod      1/1     Running                0          69m     10.244.6.8     aks-sharednp-50716919-vmss000003     <none>           <none>

$ kubectl get pods -n security-profiles-operator -o wide | grep aks-sharednp-50716919-vmss000003
security-profiles-operator-74565b6d4d-v8xnb           1/1     Running   0          17h   10.244.6.214    aks-sharednp-50716919-vmss000003     <none>           <none>
spod-2gwcx                                            4/4     Running   0          29m   10.244.6.160    aks-sharednp-50716919-vmss000003     <none>           <none>

kubectl logs -f spod-2gwcx -n security-profiles-operator
Defaulted container "security-profiles-operator" out of: security-profiles-operator, log-enricher, bpf-recorder, metrics, non-root-enabler (init)
I1205 09:37:47.296182 3943436 main.go:263] "Set logging verbosity to 1"
I1205 09:37:47.296200 3943436 main.go:269] "Profiling support enabled: false"
I1205 09:37:47.296279 3943436 main.go:289] "starting component: spod" logger="setup" version="0.8.2-dev" gitCommit="a2ce605fd62c4378d25dd9d2ed5dd49d5a75aa6c" gitCommitDate="2023-12-05T07:52:48Z" gitTreeState="clean" buildDate="1980-01-01T00:00:00Z" goVersion="go1.21.4" compiler="gc" platform="linux/amd64" libseccomp="2.5.4" libbpf="v1.2" buildTags="netgo,osusergo,seccomp,apparmor" ldFlags="unknown" cgoldFlags="unknown" dependencies="cloud.google.com/go/compute/metadata v0.2.3 ,cuelang.org/go v0.6.0 ,filippo.io/edwards25519 v1.0.0 ,github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 ,github.com/Azure/azure-sdk-for-go v68.0.0+incompatible ,github.com/Azure/go-autorest/autorest v0.11.29 ,github.com/Azure/go-autorest/autorest/adal v0.9.23 ,github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 ,github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 ,github.com/Azure/go-autorest/autorest/date v0.3.0 ,github.com/Azure/go-autorest/logger v0.2.1 ,github.com/Azure/go-autorest/tracing v0.6.0 ,github.com/DataDog/datadog-agent/pkg/obfuscate v0.48.1 ,github.com/DataDog/datadog-agent/pkg/remoteconfig/state v0.48.1 ,github.com/DataDog/datadog-go/v5 v5.3.0 ,github.com/DataDog/go-tuf v1.0.2-0.5.2 ,github.com/DataDog/sketches-go v1.4.3 ,github.com/OneOfOne/xxhash v1.2.8 ,github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c ,github.com/acobaugh/osrelease v0.1.0 ,github.com/agnivade/levenshtein v1.1.1 ,github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 ,github.com/alibabacloud-go/cr-20160607 v1.0.1 ,github.com/alibabacloud-go/cr-20181201 v1.0.10 ,github.com/alibabacloud-go/darabonba-openapi v0.2.1 ,github.com/alibabacloud-go/debug v1.0.0 ,github.com/alibabacloud-go/endpoint-util v1.1.1 ,github.com/alibabacloud-go/openapi-util v0.1.0 ,github.com/alibabacloud-go/tea v1.2.1 ,github.com/alibabacloud-go/tea-utils v1.4.5 ,github.com/alibabacloud-go/tea-xml v1.1.3 ,github.com/aliyun/credentials-go v1.3.1 ,github.com/aquasecurity/libbpfgo v0.6.0-libbpf-1.3 ,github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 ,github.com/aws/aws-sdk-go-v2 v1.21.2 ,github.com/aws/aws-sdk-go-v2/config v1.19.1 ,github.com/aws/aws-sdk-go-v2/credentials v1.13.43 ,github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 ,github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 ,github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 ,github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 ,github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 ,github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 ,github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 ,github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 ,github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 ,github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 ,github.com/aws/smithy-go v1.15.0 ,github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 ,github.com/beorn7/perks v1.0.1 ,github.com/blang/semver v3.5.1+incompatible ,github.com/blang/semver/v4 v4.0.0 ,github.com/buildkite/agent/v3 v3.58.0 ,github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251 ,github.com/cert-manager/cert-manager v1.13.2 ,github.com/cespare/xxhash/v2 v2.2.0 ,github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 ,github.com/clbanning/mxj/v2 v2.7.0 ,github.com/cloudflare/circl v1.3.5 ,github.com/cockroachdb/apd/v3 v3.2.1 ,github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be ,github.com/containerd/stargz-snapshotter/estargz v0.15.1 ,github.com/containers/common v0.57.0 ,github.com/coreos/go-oidc/v3 v3.7.0 ,github.com/cpuguy83/go-md2man/v2 v2.0.3 ,github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 ,github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc ,github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 ,github.com/digitorus/timestamp v0.0.0-20230902153158-687734543647 ,github.com/dimchansky/utfbom v1.1.1 ,github.com/docker/cli v24.0.7+incompatible ,github.com/docker/distribution v2.8.3+incompatible ,github.com/docker/docker v24.0.7+incompatible ,github.com/docker/docker-credential-helpers v0.8.0 ,github.com/dustin/go-humanize v1.0.1 ,github.com/emicklei/go-restful/v3 v3.11.0 ,github.com/emicklei/proto v1.12.1 ,github.com/evanphx/json-patch/v5 v5.6.0 ,github.com/fsnotify/fsnotify v1.7.0 ,github.com/gabriel-vasile/mimetype v1.4.3 ,github.com/go-chi/chi v4.1.2+incompatible ,github.com/go-ini/ini v1.67.0 ,github.com/go-jose/go-jose/v3 v3.0.1 ,github.com/go-logr/logr v1.3.0 ,github.com/go-logr/stdr v1.2.2 ,github.com/go-openapi/analysis v0.21.4 ,github.com/go-openapi/errors v0.20.4 ,github.com/go-openapi/jsonpointer v0.20.0 ,github.com/go-openapi/jsonreference v0.20.2 ,github.com/go-openapi/loads v0.21.2 ,github.com/go-openapi/runtime v0.26.0 ,github.com/go-openapi/spec v0.20.9 ,github.com/go-openapi/strfmt v0.21.7 ,github.com/go-openapi/swag v0.22.4 ,github.com/go-openapi/validate v0.22.1 ,github.com/go-playground/locales v0.14.1 ,github.com/go-playground/universal-translator v0.18.1 ,github.com/go-playground/validator/v10 v10.15.5 ,github.com/gobwas/glob v0.2.3 ,github.com/gogo/protobuf v1.3.2 ,github.com/golang-jwt/jwt/v4 v4.5.0 ,github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da ,github.com/golang/protobuf v1.5.3 ,github.com/golang/snappy v0.0.4 ,github.com/google/certificate-transparency-go v1.1.7 ,github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 ,github.com/google/go-cmp v0.6.0 ,github.com/google/go-containerregistry v0.17.0 ,github.com/google/go-github/v55 v55.0.0 ,github.com/google/go-querystring v1.1.0 ,github.com/google/gofuzz v1.2.0 ,github.com/google/s2a-go v0.1.7 ,github.com/google/uuid v1.4.0 ,github.com/googleapis/enterprise-certificate-proxy v0.3.2 ,github.com/gorilla/mux v1.8.0 ,github.com/gowebpki/jcs v1.0.1 ,github.com/hashicorp/go-cleanhttp v0.5.2 ,github.com/hashicorp/go-retryablehttp v0.7.4 ,github.com/hashicorp/hcl v1.0.1-vault-5 ,github.com/imdario/mergo v0.3.16 ,github.com/in-toto/in-toto-golang v0.9.0 ,github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 ,github.com/jellydator/ttlcache/v3 v3.1.0 ,github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 ,github.com/josharian/intern v1.0.0 ,github.com/json-iterator/go v1.1.12 ,github.com/klauspost/compress v1.17.3 ,github.com/leodido/go-urn v1.2.4 ,github.com/lestrrat-go/blackmagic v1.0.2 ,github.com/lestrrat-go/httpcc v1.0.1 ,github.com/lestrrat-go/httprc v1.0.4 ,github.com/lestrrat-go/iter v1.0.2 ,github.com/lestrrat-go/jwx/v2 v2.0.16 ,github.com/lestrrat-go/option v1.0.1 ,github.com/letsencrypt/boulder v0.0.0-20231026200631-000cd05d5491 ,github.com/magiconair/properties v1.8.7 ,github.com/mailru/easyjson v0.7.7 ,github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 ,github.com/mitchellh/go-homedir v1.1.0 ,github.com/mitchellh/go-wordwrap v1.0.1 ,github.com/mitchellh/mapstructure v1.5.0 ,github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd ,github.com/modern-go/reflect2 v1.0.2 ,github.com/mozillazg/docker-credential-acr-helper v0.3.0 ,github.com/mpvl/unique v0.0.0-20150818121801-cbe035fff7de ,github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 ,github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 ,github.com/nxadm/tail v1.4.11 ,github.com/oklog/ulid v1.3.1 ,github.com/oleiade/reflections v1.0.1 ,github.com/open-policy-agent/opa v0.58.0 ,github.com/opencontainers/go-digest v1.0.0 ,github.com/opencontainers/image-spec v1.1.0-rc5 ,github.com/opencontainers/runtime-spec v1.1.0 ,github.com/openshift/api v0.0.0-20221205111557-f2fbb1d1cd5e ,github.com/opentracing/opentracing-go v1.2.0 ,github.com/outcaste-io/ristretto v0.2.3 ,github.com/pborman/uuid v1.2.1 ,github.com/pelletier/go-toml/v2 v2.1.0 ,github.com/philhofer/fwd v1.1.2 ,github.com/pjbgf/go-apparmor v0.1.2 ,github.com/pkg/errors v0.9.1 ,github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.70.0 ,github.com/prometheus/client_golang v1.17.0 ,github.com/prometheus/client_model v0.5.0 ,github.com/prometheus/common v0.45.0 ,github.com/prometheus/procfs v0.12.0 ,github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf ,github.com/puzpuzpuz/xsync/v2 v2.5.1 ,github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 ,github.com/russross/blackfriday/v2 v2.1.0 ,github.com/sagikazarmark/slog-shim v0.1.0 ,github.com/sassoftware/relic v7.2.1+incompatible ,github.com/seccomp/libseccomp-golang v0.10.0 ,github.com/secure-systems-lab/go-securesystemslib v0.7.0 ,github.com/segmentio/ksuid v1.0.4 ,github.com/shibumi/go-pathspec v1.3.0 ,github.com/sigstore/cosign/v2 v2.2.1 ,github.com/sigstore/fulcio v1.4.3 ,github.com/sigstore/rekor v1.3.3 ,github.com/sigstore/sigstore v1.7.5 ,github.com/sigstore/timestamp-authority v1.2.0 ,github.com/sirupsen/logrus v1.9.3 ,github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 ,github.com/spf13/afero v1.10.0 ,github.com/spf13/cast v1.5.1 ,github.com/spf13/cobra v1.8.0 ,github.com/spf13/pflag v1.0.5 ,github.com/spf13/viper v1.17.0 ,github.com/spiffe/go-spiffe/v2 v2.1.6 ,github.com/subosito/gotenv v1.6.0 ,github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d ,github.com/tchap/go-patricia/v2 v2.3.1 ,github.com/theupdateframework/go-tuf v0.6.1 ,github.com/tinylib/msgp v1.1.8 ,github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 ,github.com/tjfoc/gmsm v1.4.1 ,github.com/transparency-dev/merkle v0.0.2 ,github.com/urfave/cli/v2 v2.26.0 ,github.com/vbatts/tar-split v0.11.5 ,github.com/xanzy/go-gitlab v0.93.2 ,github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb ,github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 ,github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 ,github.com/yashtewari/glob-intersection v0.2.0 ,github.com/zeebo/errs v1.3.0 ,go.mongodb.org/mongo-driver v1.12.1 ,go.opencensus.io v0.24.0 ,go.opentelemetry.io/otel v1.19.0 ,go.opentelemetry.io/otel/metric v1.19.0 ,go.opentelemetry.io/otel/sdk v1.19.0 ,go.opentelemetry.io/otel/trace v1.19.0 ,go.step.sm/crypto v0.36.1 ,go.uber.org/atomic v1.11.0 ,go.uber.org/multierr v1.11.0 ,go.uber.org/zap v1.26.0 ,golang.org/x/crypto v0.16.0 ,golang.org/x/exp v0.0.0-20231006140011-7918f672742d ,golang.org/x/mod v0.14.0 ,golang.org/x/net v0.19.0 ,golang.org/x/oauth2 v0.13.0 ,golang.org/x/sync v0.5.0 ,golang.org/x/sys v0.15.0 ,golang.org/x/term v0.15.0 ,golang.org/x/text v0.14.0 ,golang.org/x/time v0.3.0 ,golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 ,gomodules.xyz/jsonpatch/v2 v2.4.0 ,google.golang.org/api v0.149.0 ,google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b ,google.golang.org/grpc v1.59.0 ,google.golang.org/protobuf v1.31.0 ,gopkg.in/DataDog/dd-trace-go.v1 v1.56.1 ,gopkg.in/go-jose/go-jose.v2 v2.6.1 ,gopkg.in/inf.v0 v0.9.1 ,gopkg.in/ini.v1 v1.67.0 ,gopkg.in/square/go-jose.v2 v2.6.0 ,gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 ,gopkg.in/yaml.v2 v2.4.0 ,gopkg.in/yaml.v3 v3.0.1 ,k8s.io/api v0.28.4 ,k8s.io/apiextensions-apiserver v0.28.4 ,k8s.io/apimachinery v0.28.4 ,k8s.io/client-go v0.28.4 ,k8s.io/component-base v0.28.4 ,k8s.io/klog/v2 v2.110.1 ,k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 ,k8s.io/utils v0.0.0-20231127182322-b307cd553661 ,oras.land/oras-go/v2 v2.3.1 ,sigs.k8s.io/controller-runtime v0.16.3 ,sigs.k8s.io/gateway-api v0.8.0 ,sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd ,sigs.k8s.io/release-utils v0.7.7 ,sigs.k8s.io/structured-merge-diff/v4 v4.4.1 ,sigs.k8s.io/yaml v1.4.0 "
I1205 09:37:47.296751 3943436 metrics.go:217] "Registering metric: seccomp_profile_total" logger="metrics"
I1205 09:37:47.296769 3943436 metrics.go:217] "Registering metric: seccomp_profile_audit_total" logger="metrics"
I1205 09:37:47.296776 3943436 metrics.go:217] "Registering metric: selinux_profile_error_total" logger="metrics"
I1205 09:37:47.296812 3943436 metrics.go:217] "Registering metric: apparmor_profile_error_total" logger="metrics"
I1205 09:37:47.296886 3943436 metrics.go:217] "Registering metric: seccomp_profile_bpf_total" logger="metrics"
I1205 09:37:47.296898 3943436 metrics.go:217] "Registering metric: seccomp_profile_error_total" logger="metrics"
I1205 09:37:47.296906 3943436 metrics.go:217] "Registering metric: selinux_profile_total" logger="metrics"
I1205 09:37:47.296928 3943436 metrics.go:217] "Registering metric: selinux_profile_audit_total" logger="metrics"
I1205 09:37:47.296940 3943436 metrics.go:217] "Registering metric: apparmor_profile_total" logger="metrics"
I1205 09:37:47.296949 3943436 metrics.go:217] "Registering metric: apparmor_profile_audit_total" logger="metrics"
I1205 09:37:47.297191 3943436 main.go:368] "watching all namespaces" logger="setup"
I1205 09:37:47.297944 3943436 grpc.go:60] "Starting GRPC server API" logger="metrics"
I1205 09:37:47.341753 3943436 profilerecorder.go:144] "Setting up profile recorder" logger="recorder-spod" Node="10.12.20.41"
I1205 09:37:47.341801 3943436 main.go:497] "starting daemon" logger="setup"
I1205 09:37:47.341844 3943436 server.go:185] "Starting metrics server" logger="controller-runtime.metrics"
I1205 09:37:47.341913 3943436 server.go:50] "starting server" kind="health probe" addr="[::]:8085"
I1205 09:37:47.341917 3943436 server.go:224] "Serving metrics server" logger="controller-runtime.metrics" bindAddress=":8080" secure=false
I1205 09:37:47.342145 3943436 controller.go:178] "Starting EventSource" controller="profilerecorder" controllerGroup="" controllerKind="Pod" source="kind source: *v1.Pod"
I1205 09:37:47.342167 3943436 controller.go:186] "Starting Controller" controller="profilerecorder" controllerGroup="" controllerKind="Pod"
I1205 09:37:47.342151 3943436 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1beta1.SeccompProfile"
I1205 09:37:47.342274 3943436 controller.go:178] "Starting EventSource" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" source="kind source: *v1alpha1.SecurityProfilesOperatorDaemon"
I1205 09:37:47.342296 3943436 controller.go:186] "Starting Controller" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile"
I1205 09:37:47.454407 3943436 controller.go:220] "Starting workers" controller="profilerecorder" controllerGroup="" controllerKind="Pod" worker count=1
I1205 09:37:47.455670 3943436 controller.go:220] "Starting workers" controller="profile" controllerGroup="security-profiles-operator.x-k8s.io" controllerKind="SeccompProfile" worker count=1
I1205 09:37:47.455773 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.455859 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.455878 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.556383 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.556512 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.556544 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="log" namespace="default"
I1205 09:37:47.556670 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556714 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556737 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556793 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556862 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556879 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:37:47.556924 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:37:47.556940 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:37:47.556955 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:37:47.556983 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:37:47.557046 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:37:47.557057 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="log-enricher-trace" namespace="security-profiles-operator"
I1205 09:38:00.027781 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.027806 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.027821 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.027873 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.028018 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.028040 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.037828 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.037850 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.037866 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.037916 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.037987 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.038006 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.051817 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.051837 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.051855 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.051905 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.052002 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.052022 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063284 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063301 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063321 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063368 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063448 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.063467 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084140 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084159 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084174 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084217 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084293 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.084321 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599763 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599784 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599804 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599864 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599958 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:00.599980 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118351 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118382 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118400 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118576 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118738 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:01.118753 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077338 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077359 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077379 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077457 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077580 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.077597 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597482 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597502 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597519 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597571 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597639 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.597652 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.615787 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.615808 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.615828 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.615890 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.615981 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.616006 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.626841 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.626861 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.626881 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.626934 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.627014 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.627033 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641580 3943436 seccompprofile.go:445] "Merge possible base profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641601 3943436 seccompprofile.go:452] "Validate profile" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641618 3943436 seccompprofile.go:460] "Got profile content" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641662 3943436 seccompprofile.go:492] "Saving profile to disk" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641738 3943436 seccompprofile.go:507] "Checking node status" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"
I1205 09:38:31.641767 3943436 seccompprofile.go:515] "Already in the expected Installed state" logger="seccomp-spod" profile="audit-profile" namespace="seccomp"

What you expected to happen:

Expect the ePBF recording in the bpf-recorder containers log

How to reproduce it (as minimally and precisely as possible):

Steps above

Anything else we need to know?:

Environment:

• Cloud provider or hardware configuration: AKS 1.27.3
• OS (e.g: cat /etc/os-release):
• Kernel (e.g. uname -a):
• Others:

[saschagrunert]

@sybadm is the namespace labeled correctly per https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#label-namespaces-for-binding-and-recording ?

[sybadm]

@sybadm is the namespace labeled correctly per https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#label-namespaces-for-binding-and-recording ?

@saschagrunert that was helpful. I'm getting - Unable to find profile in cluster for container ID

libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:37:50.594629 3386371 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:37:50.594674 3386371 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:37:50.595077 3386371 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:37:50.595184 3386371 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:37:50.596711 3386371 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:37:50.596740 3386371 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:37:50.612239 3386371 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: matching candidate #0 <byte_off> [39224] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)
libbpf: prog 'sys_enter': relo #3: patched insn #22 (ALU/ALU64) imm 16 -> 16
I1205 09:38:26.010678 1723838 bpfrecorder.go:420] "Getting bpf program sys_enter" logger="bpf-recorder"
I1205 09:38:26.010714 1723838 bpfrecorder.go:426] "Attaching bpf tracepoint" logger="bpf-recorder"
I1205 09:38:26.011285 1723838 bpfrecorder.go:431] "Getting syscalls map" logger="bpf-recorder"
I1205 09:38:26.011354 1723838 bpfrecorder.go:437] "Getting pid_mntns map" logger="bpf-recorder"
I1205 09:38:26.013397 1723838 bpfrecorder.go:461] "Module successfully loaded" logger="bpf-recorder"
I1205 09:38:26.013440 1723838 bpfrecorder.go:785] "Unloading bpf module" logger="bpf-recorder"
I1205 09:38:26.036121 1723838 bpfrecorder.go:193] "Starting GRPC API server" logger="bpf-recorder"
I1205 10:23:42.912760 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=16
I1205 10:23:43.159794 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=16
I1205 10:23:44.852250 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=17
I1205 10:23:45.080185 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=17
I1205 10:23:47.148089 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=18
I1205 10:23:47.369228 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=18
I1205 10:23:49.870973 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=19
E1205 10:23:49.926346 3943515 bpfrecorder.go:630] "Unable to find profile in cluster for container ID" err="searching container ID d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49: wait on retry: timed out waiting for the condition" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" pid=4013476 mntns=4026533575
I1205 10:23:50.083975 3943515 bpfrecorder.go:697] "Looking up container ID in cluster" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" try=19
E1205 10:23:50.150302 3943515 bpfrecorder.go:630] "Unable to find profile in cluster for container ID" err="searching container ID d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49: wait on retry: timed out waiting for the condition" logger="bpf-recorder" id="d64cc21d8de45c85afea7d873d3fc95eb598531284f6095e4c7f6ddb061a5c49" pid=4013477 mntns=4026533575
libbpf: prog 'sys_enter': relo #3: <byte_off> [382] struct mnt_namespace.ns.inum (0:0:2 @ offset 16)

I still don't see secompprofile: test-recording

$ cat test-profile-recording.yaml
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: test-recording
  namespace: default
spec:
  kind: SeccompProfile
  recorder: bpf
  podSelector:
    matchLabels:
      app: my-app

$ kubectl get seccompprofile -o wide -A
NAMESPACE                    NAME                    STATUS      AGE     LOCALHOSTPROFILE
default                      log                     Installed   81m     operator/default/log.json
default                      test-recording-alpine   Installed   12m     operator/default/test-recording-alpine.json
security-profiles-operator   log-enricher-trace      Installed   83m     operator/security-profiles-operator/log-enricher-trace.json

[saschagrunert]

@sybadm tested it on AKS now, and it should work when the nginx pod is running for a couple of seconds healthy. After removal, the profile test-recording-nginx should be installed.

[saschagrunert]

I'm not sure but you may have to do this as well: https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#installation-on-aks

[sybadm]

I'm not sure but you may have to do this as well: https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/installation-usage.md#installation-on-aks

you are absolutely gem! I thought I had this applied but may be I forgot when I re-installed it. Recording works now!

I believe documentation need some polishing.

Is there anyway to keep recording enabled without deleting the pods to flush the recording info into SPOD log.

Ta

[saschagrunert]

Is there anyway to keep recording enabled without deleting the pods to flush the recording info into SPOD log.

Not right now, we have no further trigger implemented yet. Might be a good feature request, though.

[sybadm]

ta

[sybadm]

Any advice on this... Sorry, I know I should no use the thread for discussion but there is should be option to have discussions

$ kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"apparmorenabled":"true"}}'
Warning: unknown field "spec.apparmorenabled"
securityprofilesoperatordaemon.security-profiles-operator.x-k8s.io/spod patched (no change)

[saschagrunert]

@sybadm can you try enableAppArmor? This may be a doc bug.

[sybadm]

@sybadm can you try enableAppArmor? This may be a doc bug.

you again made my day!

$ kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableAppArmor":"true"}}'
The SecurityProfilesOperatorDaemon "spod" is invalid: spec.enableAppArmor: Invalid value: "string": spec.enableAppArmor in body must be of type boolean: "string"

$ kubectl -n security-profiles-operator patch spod spod --type=merge -p '{"spec":{"enableAppArmor":true}}'
securityprofilesoperatordaemon.security-profiles-operator.x-k8s.io/spod patched

[saschagrunert]

@sybadm do you want to provide a doc update PR or should I take care of that?

[sybadm]

@sybadm do you want to provide a doc update PR or should I take care of that?

will do there are few correction ... I will consolidate all in one

[sybadm]

Sorry, I'm back again, do not want to open new thread for this. AppArmorProfile does not get into action

$ cat ap.yaml
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: AppArmorProfile
metadata:
  name: test-profile
  annotations:
    description: Block writing to any files in the disk.
spec:
  policy: |
    #include <tunables/global>

    profile test-profile flags=(attach_disconnected) {
      #include <abstractions/base>

      file,

      # Deny all file writes.
      deny /** w,
    }

$ cat dep,yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-pod
  annotations:
    container.apparmor.security.beta.kubernetes.io/test-container: localhost/test-profile
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: test-container

$ kubectl get apparmorprofile -o yaml
apiVersion: v1
items:
- apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
  kind: AppArmorProfile
  metadata:
    annotations:
      description: Block writing to any files in the disk.
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"security-profiles-operator.x-k8s.io/v1alpha1","kind":"AppArmorProfile","metadata":{"annotations":{"description":"Block writing to any files in the disk."},"name":"test-profile","namespace":"default"},"spec":{"policy":"#include \u003ctunables/global\u003e\n\nprofile test-profile flags=(attach_disconnected) {\n  #include \u003cabstractions/base\u003e\n\n  file,\n\n  # Deny all file writes.\n  deny /** w,\n}\n"}}
    creationTimestamp: "2023-12-05T16:56:42Z"
    finalizers:
    - aks-i3mrpsgenp-18055575-vmss00000c-deleted
    - aks-systempool-32724526-vmss000007-deleted
    - aks-systempool-32724526-vmss00001j-deleted
    - aks-i2mrpsge2np-16288669-vmss0000fl-deleted
    - aks-sharednp-50716919-vmss000000-deleted
    - aks-systempool-32724526-vmss00000m-deleted
    - aks-i2mrpsge2np-16288669-vmss0000fk-deleted
    - aks-i2mrdashnp-23170901-vmss000009-deleted
    - aks-sharednp-50716919-vmss000009-deleted
    - aks-sharednp-50716919-vmss000003-deleted
    - aks-systempool-32724526-vmss00001i-deleted
    generation: 1
    labels:
      spo.x-k8s.io/profile-id: AppArmorProfile-test-profile
    name: test-profile
    namespace: default
    resourceVersion: "59596250"
    uid: ccc36c3c-6523-4138-afc7-a7af417971a0
  spec:
    policy: |
      #include <tunables/global>

      profile test-profile flags=(attach_disconnected) {
        #include <abstractions/base>

        file,

        # Deny all file writes.
        deny /** w,
      }
kind: List
metadata:
  resourceVersion: ""

$ kubectl exec -it test-pod-6964545f4c-75gn4 -- bash
root@test-pod-6964545f4c-75gn4:/# touch abc
root@test-pod-6964545f4c-75gn4:/# rm abc
root@test-pod-6964545f4c-75gn4:/# exit
exit

[sybadm]

@sybadm do you want to provide a doc update PR or should I take care of that?

I'm getting, Pull request creation failed. Validation failed: must be a collaborator

[saschagrunert]

@shysank can we create a new issue for that, @pjbgf may have some insights here as well.