// Module included in the following assemblies:
//
// * security/security_profiles_operator/spo-seccomp.adoc
// * security/security_profiles_operator/spo-selinux.adoc

ifeval::["{context}" == "spo-seccomp"]
:seccomp:
:type: seccomp
:kind: SeccompProfile
endif::[]
ifeval::["{context}" == "spo-selinux"]
:selinux:
:type: SELinux
:kind: SelinuxProfile
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="spo-binding-workloads_{context}"]
= Binding workloads to profiles with ProfileBindings

You can use the `ProfileBinding` resource to bind a security profile to the `SecurityContext` of a container.

.Procedure

. To bind a pod that uses a `quay.io/security-profiles-operator/test-nginx-unprivileged:1.21` image to the example `{kind}` profile, create a `ProfileBinding` object in the same namespace with the pod and the `{kind}` objects:
+
[source,yaml,subs="attributes+"]
----
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileBinding
metadata:
  namespace: my-namespace
  name: nginx-binding
spec:
  profileRef:
    kind: {kind} <1>
    name: profile <2>
  image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
----
<1> The `kind:` variable refers to the name of the profile.
<2> The `name:` variable refers to the name of the profile.

. Label the namespace with `enable-binding=true` by running the following command:
+
[source,terminal]
----
$ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
----

. Define a pod named `test-pod.yaml`:
+
[source,yaml]
----
apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
----

. Create the pod:
+
[source,terminal]
----
$ oc create -f test-pod.yaml
----
+
[NOTE]
====
If the pod already exists, you must re-create the pod for the binding to work properly.
====

.Verification

ifdef::seccomp[]
* Confirm the pod inherits the `ProfileBinding` by running the following command:
+
[source,terminal]
----
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'
----
+
.Example output
[source,terminal]
----
{"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}
----
endif::[]
ifdef::selinux[]
* Confirm the pod inherits the `ProfileBinding` by running the following command:
+
[source,terminal]
----
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seLinuxOptions.type}'
----
+
.Example output
[source,terminal]
----
profile_nginx-binding.process
----
endif::[]


ifeval::["{context}" == "spo-seccomp"]
:!seccomp:
:!type:
:!kind:
endif::[]
ifeval::["{context}" == "spo-selinux"]
:!selinux:
:!type:
:!kind:
endif::[]