after moving to cluster scoped, namesapce still used

Recently SelinuxProfile was moved from Namespace scoped to cluster scoped. Some of the code was still using the Namespace as part of the generation of the "Usage" string. The Namespace was blank, so the usage string just ended in an "_", something like "policyName_.process". However, workloadannotator was using the application pods namespace and the code strip the "_namspace.process" off the usage string to get the actual profile name was failing. So just removed all the logic was append "_namespace" to the profile name in the usage. Resolves: #2745 Signed-off-by: Billy McFall <[email protected]>
kubernetes-sigs · Feb 28, 2025 · f491457 · f491457
1 parent 5d27dc8
commit f491457
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 22 deletions.
diff --git a/api/selinuxprofile/v1alpha2/rawselinuxprofile_types.go b/api/selinuxprofile/v1alpha2/rawselinuxprofile_types.go
@@ -69,7 +69,7 @@ func (sp *RawSelinuxProfile) SetImplementationStatus() {
 // GetPolicyName gets the policy module name in the format that
 // we're expecting for parsing.
 func (sp *RawSelinuxProfile) GetPolicyName() string {
-	return sp.GetName() + "_" + sp.GetNamespace()
+	return sp.GetName()
 }
 
 // GetPolicyUsage is the representation of how a pod will call this

diff --git a/api/selinuxprofile/v1alpha2/selinuxprofile_types.go b/api/selinuxprofile/v1alpha2/selinuxprofile_types.go
@@ -148,7 +148,7 @@ func (sp *SelinuxProfile) SetImplementationStatus() {
 // GetPolicyName gets the policy module name in the format that
 // we're expecting for parsing.
 func (sp *SelinuxProfile) GetPolicyName() string {
-	return sp.GetName() + "_" + sp.GetNamespace()
+	return sp.GetName()
 }
 
 // GetPolicyUsage is the representation of how a pod will call this

diff --git a/internal/pkg/manager/workloadannotator/workloadannotator.go b/internal/pkg/manager/workloadannotator/workloadannotator.go
@@ -148,7 +148,7 @@ func (r *PodReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 
 	// pod is being created or updated so ensure it is linked to a selinux profile
 	for _, profileIndex := range getSelinuxProfilesFromPod(ctx, r, pod) {
-		profileSuffix := "_" + pod.GetNamespace() + ".process"
+		profileSuffix := ".process"
 		profileName := strings.TrimSuffix(profileIndex, profileSuffix)
 
 		selinuxProfile := &selinuxprofileapi.SelinuxProfile{}
@@ -371,7 +371,7 @@ func isOperatorSelinuxType(ctx context.Context, r *PodReconciler, se *corev1.SEL
 		return false
 	}
 
-	suffix := "_" + ns + ".process"
+	suffix := ".process"
 	selinuxProfileName := strings.TrimSuffix(se.Type, suffix)
 
 	if selinuxProfileName != se.Type {

diff --git a/internal/pkg/translator/obj2cil.go b/internal/pkg/translator/obj2cil.go
@@ -79,7 +79,7 @@ func Object2CIL(
 }
 
 func getCILStart(sp *selxv1alpha2.SelinuxProfile) string {
-	return fmt.Sprintf("(block %s_%s\n", sp.GetName(), sp.GetNamespace())
+	return fmt.Sprintf("(block %s\n", sp.GetName())
 }
 
 func getCILInheritline(i string) string {

diff --git a/internal/pkg/translator/obj2cil_test.go b/internal/pkg/translator/obj2cil_test.go
@@ -40,8 +40,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test errorlogger translation with system inheritance",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo",
-					Namespace: "bar",
+					Name: "foo-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -85,7 +84,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo_bar",
+				"\\(block foo-bar",
 				"\\(blockinherit container\\)",
 				// We match on several lines since we don't care about the order
 				"\\(allow process var_log_t \\( dir \\(.*open.*\\)\\)\\)\n",
@@ -107,8 +106,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test translation with @self",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-selinux-recording-nginx",
-					Namespace: "default",
+					Name: "test-selinux-recording-nginx",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -142,7 +140,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block test-selinux-recording-nginx_default",
+				"\\(block test-selinux-recording-nginx",
 				"\\(blockinherit container\\)",
 				// We match on several lines since we don't care about the order
 				"\\(allow process http_port_t \\( tcp_socket \\(.*name_bind.*\\)\\)\\)\n",
@@ -159,8 +157,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test successful inherit reference",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-selinux-recording-nginx",
-					Namespace: "default",
+					Name: "test-selinux-recording-nginx",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -179,7 +176,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block test-selinux-recording-nginx_default",
+				"\\(block test-selinux-recording-nginx",
 				"\\(blockinherit foo_default\\)",
 				"\\(allow process http_port_t \\( tcp_socket \\(.*name_bind.*\\)\\)\\)\\n",
 			},
@@ -189,8 +186,7 @@ func TestObject2CIL(t *testing.T) {
 			inheritobjs: []selxv1alpha2.SelinuxProfileObject{
 				&selxv1alpha2.SelinuxProfile{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      "foo",
-						Namespace: "default",
+						Name: "foo",
 					},
 				},
 			},
@@ -199,8 +195,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test errorlogger translation with permissive mode",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo-permissive",
-					Namespace: "bar",
+					Name: "foo-permissive-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Permissive: true,
@@ -245,7 +240,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo-permissive_bar",
+				"\\(block foo-permissive-bar",
 				"\\(blockinherit container\\)",
 				"\\(typepermissive process\\)",
 				// We match on several lines since we don't care about the order
@@ -268,8 +263,7 @@ func TestObject2CIL(t *testing.T) {
 			name: "Test translation with another template than container",
 			profile: &selxv1alpha2.SelinuxProfile{
 				ObjectMeta: metav1.ObjectMeta{
-					Name:      "foo",
-					Namespace: "bar",
+					Name: "foo-bar",
 				},
 				Spec: selxv1alpha2.SelinuxProfileSpec{
 					Inherit: []selxv1alpha2.PolicyRef{
@@ -293,7 +287,7 @@ func TestObject2CIL(t *testing.T) {
 				},
 			},
 			wantMatches: []string{
-				"\\(block foo_bar",
+				"\\(block foo-bar",
 				"\\(blockinherit container\\)",
 				"\\(blockinherit net_container\\)",
 				// We match on several lines since we don't care about the order