Skip to content

Undeploying bpfman selinux example programs hang on OpenShift #331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
anfredette opened this issue Oct 24, 2024 · 2 comments
Open

Undeploying bpfman selinux example programs hang on OpenShift #331

anfredette opened this issue Oct 24, 2024 · 2 comments
Assignees
@Billy99
Milestone
Q1-2025

Comments

@anfredette
Copy link
Contributor

Running make deploy-*-selinux to an OpenShift cluster seems to work, but make undeploy-*-selinux hangs.

On closer inspection, after deploying, the selinux profile stays in the “Pending” state which doesn’t seem right. Then, after running the undeploy command, the namespace is waiting on an selinux profile and a number of finalizers.

For more details search for the test case starting with "$ k apply -f go-tracepoint-counter-install-selinux.yaml" in bpfman Selinux Test.
@github-project-automation github-project-automation bot moved this to 🆕 New in bpfman Oct 24, 2024
@anfredette anfredette added this to the Q4-2024 milestone Oct 24, 2024
Billy99 added a commit to Billy99/bpfman-operator that referenced this issue Feb 11, 2025
@Billy99
remove dependency on security-profiles-operator
0b9e8f2 
After deploying the selinux profile, the status on the Selinux Profile
is “Pending”. security-profiles-operator is currently deployed in
OpenShift by making it a dependency of bpfman-operator. As a result, the
security-profiles-operator is deployed in the bpfman namespace.
security-profiles-operator encounters issues with this because there are
other daemonsets in the namespace. Short term, remove the dependency.
security-profiles-operator is still required, it just won't be
auto-installed.

Related: bpfman#331
Related: kubernetes-sigs/security-profiles-operator#2699

Signed-off-by: Billy McFall <[email protected]>
@Billy99 Billy99 mentioned this issue Feb 11, 2025
Open
@Billy99
Copy link
Contributor

Billy99 commented Feb 11, 2025

There are two issues here:

On closer inspection, after deploying, the selinux profile stays in the “Pending” state which doesn’t seem right.

This is because security-profiles-operator is currently deployed in OpenShift by making it a dependency of bpfman-operator via config/manifests/dependencies.yaml. As a result, the security-profiles-operator is deployed in the bpfman namespace. security-profiles-operator encounters issues with this because there are other daemonsets in the namespace.

See: kubernetes-sigs/security-profiles-operator#2699

Then, after running the undeploy command, the namespace is waiting on an selinux profile and a number of finalizers.

Upon further testing, if the application namespace is not deleted until after the SelinuxProfile is deleted, everything cleans up fine. This is a bug in security-profiles-operator.

See: kubernetes-sigs/security-profiles-operator#2684

Billy99 added a commit to Billy99/bpfman-operator that referenced this issue Feb 13, 2025
@Billy99
remove dependency on security-profiles-operator
c0fc24c 
After deploying the selinux profile, the status on the Selinux Profile
is “Pending”. security-profiles-operator is currently deployed in
OpenShift by making it a dependency of bpfman-operator. As a result, the
security-profiles-operator is deployed in the bpfman namespace.
security-profiles-operator encounters issues with this because there are
other daemonsets in the namespace. Short term, remove the dependency.
security-profiles-operator is still required, it just won't be
auto-installed.

Related: bpfman#331
Related: kubernetes-sigs/security-profiles-operator#2699

Signed-off-by: Billy McFall <[email protected]>
msherif1234 pushed a commit to msherif1234/bpfman-operator that referenced this issue Feb 24, 2025
@openshift-merge-bot
Merge pull request bpfman#331 from openshift/konflux/component-update…
9fcff7e 
…s/component-update-ocp-bpfman-operator-bundle

chore(deps): update ocp-bpfman-operator-bundle to 631d3da
@anfredette anfredette modified the milestones: Q4-2024, Q1-2025 Mar 26, 2025
@Billy99
Copy link
Contributor

Billy99 commented Apr 11, 2025

This has been fixed in security-profiles-operator v0.9.1. Just waiting for it to get merged into OperatorHub:
operator security-profiles-operator (0.9.1) #5983

Once that merges, the examples deployment code in bpfman repository will need to be updated:
support SecurityProfilesOperator v0.9.1 #1500

@anfredette anfredette marked this as a duplicate of #432 Apr 17, 2025
@anfredette anfredette mentioned this issue Apr 17, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Billy99 Billy99

Labels
None yet
Projects
bpfman
Status: 🆕 New
Milestone
Q1-2025
Development

No branches or pull requests
2 participants
@anfredette @Billy99