Unable to use Audit Log Profile - SecurityContext replaced by Profile Recording is namespaced when LocalHostProfile is not

[jwlai]

What happened:

I installed the security-profiles-operator (both the main branch, and v0.9.1) and followed the instructions to setup audit.log monitoring. However, after enabling log-enricher in the DS, I created a pod and it gives me the following error

Error: failed to create containerd container: cannot load seccomp profile "/var/lib/kubelet/seccomp/operator/security-profiles-operator/log-enricher-trace.json": open /var/lib/kubelet/seccomp/operator/security-profiles-operator/log-enricher-trace.json: no such file or directory

The pathing seems to be off as in the generated log-enricher-trace SeccompProfile object has the LocalhostProfile as operator/log-enricher-trace.json

The status is Installed as shown below.

I'm not sure what to do to remediate, I would like to use this to managed seccompProfiles as we are attempting to enable them in our cluster. The issue that was most similar is as follows #1103. The solution is not clear apart from creating a new cluster. I did not attempt to create a new cluster yet so cannot verify.

What you expected to happen:

Instructions in the example to work and allow profiles to be written out as described

How to reproduce it (as minimally and precisely as possible):

Installed application
Followed Usage guide and applied YAML manifests to cluster.

Anything else we need to know?:

Additional Logs

Log-enricher:

system_u:object_r:container_file_t:s0 tclass=sock_file permissive=1" logger="log-enricher"
I0701 17:47:51.630332 3378664 enricher.go:166] "Get container ID for PID: 1763" logger="log-enricher"
E0701 17:47:51.632938 3378664 enricher.go:179] "unable to get container ID" err="unable to find container ID in cgroup path" logger="log-enricher" processID=1763

Environment:

• Cloud provider or hardware configuration: AWS (Running EKS 1.32)
• Kernel (e.g. uname -a): Linux node-checker-2g7pm 6.1.132-147.221.amzn2023.x86_64 Implement minimal valuable implementation  #1 SMP PREEMPT_DYNAMIC Tue Apr 8 13:14:54 UTC 2025 x86_64 GNU/Linux

[ccojocar]

@ngopalak-redhat Please could you have a look at this issue? Thanks

[ngopalak-redhat]

It sounds like the issue you're encountering might be related to the path to the profile after installing the Security Profiles Operator (SPO).

Once SPO is installed, the default profile is typically located at:
/var/lib/kubelet/seccomp/operator/log-enricher-trace.json

For example, on my cluster after installing the log enricher, the content of this file looks like this:

sh-5.1# cat /var/lib/kubelet/seccomp/operator/log-enricher-trace.json
{"defaultAction":"SCMP_ACT_LOG"}

When you create your pod, you should specify the localhostProfile using this relative path:

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  securityContext:
    seccompProfile:
      type: Localhost
      localhostProfile: operator/log-enricher-trace.json
  containers:
    - name: test-container
      image: nginx

After applying this, when you describe the pod, you should see the LocalhostProfile correctly referenced:

kubectl describe po test-pod
Name:           test-pod
Namespace:      default
...........
Status:         Running
SeccompProfile: Localhost
LocalhostProfile:  operator/log-enricher-trace.json

Can you verify the location of the profile on the node after enabling log enricher?

I hope this helps you in successfully creating your pod! Please let us know if you have any further questions.

[jwlai]

Hi @ngopalak-redhat, yes that is the location of the log-enricher-trace.json and when I create a pod with that path it is successful.
I left out a key detail, that I am using a ProfileRecording to bind to an application as stated in the recordings instructions and it binds however the location that is writing includes is the incorrect path. /var/lib/kubelet/seccomp/operator/security-profiles-operator/log-enricher-trace.json.

Is there a way to configure the path that ProfileRecording will apply? Or maybe I have missed a step or something in my deployment as seccompProfiles seem to not be made namespaced.

This is how I am using it... however the ProfileRecording will overwrite the pod seccompProfile to one with the added "security-profiles-operator" path

apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
  name: test-recording
  namespace: security-profiles-operator
spec:
  kind: SeccompProfile
  recorder: logs
  podSelector:
    matchLabels:
      app: my-app

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: security-profiles-operator
  labels:
    app: my-app
spec:
  containers:
    - name: nginx
      image: quay.io/security-profiles-operator/test-nginx:1.19.1
      securityContext:
        seccompProfile:
          type: Localhost
          localhostProfile: operator/log-enricher-trace.json

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten