// Module included in the following assemblies: // // * security/security_profiles_operator/spo-seccomp.adoc // * security/security_profiles_operator/spo-selinux.adoc // JKB added conditionalization requested by QE ifeval::["{context}" == "spo-seccomp"] :seccomp: :type: seccomp :kind: SeccompProfile :object: seccompprofiles endif::[] ifeval::["{context}" == "spo-selinux"] :selinux: :type: SELinux :kind: SelinuxProfile :object: selinuxprofiles endif::[] :_mod-docs-content-type: PROCEDURE [id="spo-container-profile-instances_{context}"] = Merging per-container profile instances By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using `ReplicaSet` or `Deployment` objects. .Procedure . Edit a `ProfileRecording` object to include a `mergeStrategy: containers` variable: + [source,yaml,subs="attributes+"] ---- apiVersion: security-profiles-operator.x-k8s.io/v1alpha1 kind: ProfileRecording metadata: # The name of the Recording is the same as the resulting {kind} CRD # after reconciliation. name: test-recording namespace: my-namespace spec: kind: {kind} recorder: logs mergeStrategy: containers podSelector: matchLabels: app: sp-record ---- . Label the namespace by running the following command: + [source,terminal] ---- $ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true ---- . Create the workload with the following YAML: + [source,yaml] ---- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deploy namespace: my-namespace spec: replicas: 3 selector: matchLabels: app: sp-record template: metadata: labels: app: sp-record spec: serviceAccountName: spo-record-sa containers: - name: nginx-record image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 ports: - containerPort: 8080 ---- . To record the individual profiles, delete the deployment by running the following command: + [source,terminal] ---- $ oc delete deployment nginx-deploy -n my-namespace ---- . To merge the profiles, delete the profile recording by running the following command: + [source,terminal] ---- $ oc delete profilerecording test-recording -n my-namespace ---- . To start the merge operation and generate the results profile, run the following command: + [source,terminal,subs="attributes+"] ---- $ oc get {object} -lspo.x-k8s.io/recording-id=test-recording -n my-namespace ---- ifdef::selinux[] + .Example output for {object} [source,terminal] ---- NAME USAGE STATE test-recording-nginx-record test-recording-nginx-record_.process Installed ---- endif::[] ifdef::seccomp[] + .Example output for {object} [source,terminal] ---- NAME STATUS AGE test-recording-nginx-record Installed 55s ---- endif::[] . To view the permissions used by any of the containers, run the following command: + [source,terminal,subs="attributes+"] ---- $ oc get {object} test-recording-nginx-record -o yaml ---- ifeval::["{context}" == "spo-seccomp"] :!seccomp: :!type: :!kind: :!object: endif::[] ifeval::["{context}" == "spo-selinux"] :!selinux: :!type: :!kind: :!object: endif::[]