SELinux Profile Bindings don't seem to work

[tdeokar-code]

In the daemonset object, when the customer specifies the selinux profile explicitly using securityContext->seLinuxOptions->type, the profile gets assigned as [expected.]
If the customer removes that part, the customer thought that using a security profile binding would be sufficient in order to have the profile injected automatically (by the mutating webhook the cutsomer assume).
But when the customer checks the pod specs the selinux type is empty and the container context is set to the default container_t.

[andreaskaris]

Hello, your customer is likely missing the required namespace annotation (spo.x-k8s.io/enable-binding: "true", see below).

I tested the following on OpenShift 4.18, and it works without any issues:
https://docs.redhat.com/en/documentation/openshift_container_platform/4.18/html/networking_operators/ebpf-manager-operator

apiVersion: v1
kind: Namespace
metadata:
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/warn: privileged
    spo.x-k8s.io/enable-binding: "true"
  name: go-xdp-counter
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: bpfman-app-go-xdp-counter
  namespace: go-xdp-counter
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: xdp-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: bpfman-user
subjects:
- kind: ServiceAccount
  name: bpfman-app-go-xdp-counter
  namespace: go-xdp-counter
---
apiVersion: bpfman.io/v1alpha1
kind: XdpProgram
metadata:
  labels:
    app.kubernetes.io/name: xdpprogram
  name: go-xdp-counter-example
spec:
  bpffunctionname: xdp_stats
  bytecode:
    image:
      url: quay.io/bpfman-bytecode/go-xdp-counter:v0.5.1
  interfaceselector:
    primarynodeinterface: true
  nodeselector: {}
  priority: 55
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha2
kind: SelinuxProfile
metadata:
  name: bpfman-secure
  namespace: go-xdp-counter
spec:
  allow:
    '@self':
      bpf:
      - map_read
      - map_write
    spc_t:
      bpf:
      - map_read
      - map_write
  inherit:
  - kind: System
    name: container
---
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileBinding
metadata:
  namespace: go-xdp-counter
  name: bpfman-agent-profile-binding
spec:
  profileRef:
    kind: SelinuxProfile
    name: bpfman-secure
  image: quay.io/bpfman-userspace/go-xdp-counter:v0.5.1
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  labels:
    k8s-app: go-xdp-counter
  name: go-xdp-counter-ds
  namespace: go-xdp-counter
spec:
  selector:
    matchLabels:
      name: go-xdp-counter
  template:
    metadata:
      labels:
        name: go-xdp-counter
    spec:
      containers:
      - env:
        - name: NODENAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        image: quay.io/bpfman-userspace/go-xdp-counter:v0.5.1
        imagePullPolicy: IfNotPresent
        name: go-xdp-counter
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          runAsGroup: 65534
          runAsUser: 65534
        volumeMounts:
        - mountPath: /run/xdp/maps
          name: go-xdp-counter-maps
          readOnly: true
      dnsPolicy: ClusterFirstWithHostNet
      nodeSelector: {}
      securityContext:
        fsGroup: 65534
        runAsNonRoot: true
      serviceAccountName: bpfman-app-go-xdp-counter
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/control-plane
        operator: Exists
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
      volumes:
      - csi:
          driver: csi.bpfman.io
          volumeAttributes:
            csi.bpfman.io/maps: xdp_stats_map
            csi.bpfman.io/program: go-xdp-counter-example
        name: go-xdp-counter-maps

Here's the result:

[akaris@workstation bpfman ((232fbe31...))]$ oc get pods -n go-xdp-counter -o json | jq '.items[].spec.containers.[] | .name, .securityContext, .image'
"go-xdp-counter"
{
  "allowPrivilegeEscalation": false,
  "capabilities": {
    "drop": [
      "ALL"
    ]
  },
  "runAsGroup": 65534,
  "runAsUser": 65534,
  "seLinuxOptions": {
    "type": "bpfman-secure_go-xdp-counter.process"
  }
}
"quay.io/bpfman-userspace/go-xdp-counter:v0.5.1"

If this still doesn't work, it may be a timing issue: try creating the DaemonSet after the selinuxprofile is in state "installed" and after the profilebinding was created.