security-profiles-operator: enabling eBPF Recorder on AKS crashes SPOD containers

following @saschagrunert excellent tutorial here , I have called the method :

kubectl patch spod spod --type=merge -p '{"spec":{"enableBpfRecorder":true}}'

which eventually led to the following output on the bpf-recorder container :

I0129 19:09:14.865625 27546 logr.go:252] “msg”=“Set logging verbosity to 1” I0129 19:09:14.865684 27546 logr.go:252] “msg”=“Profiling support enabled: false” I0129 19:09:14.865733 27546 logr.go:252] setup “msg”=“starting component: bpf-recorder” “buildDate”=“1980-01-01T00:00:00Z” “compiler”=“gc” “gitCommit”=“unknown” “gitTreeState”=“clean” “goVersion”=“go1.17.3” “libbpf”=“0.5.0” “libseccomp”=“2.5.2” “platform”=“linux/amd64” “version”=“0.5.0-dev” I0129 19:09:14.865789 27546 bpfrecorder.go:106] bpf-recorder “msg”=“Setting up caches with expiry of 1h0m0s” I0129 19:09:14.865820 27546 bpfrecorder.go:123] bpf-recorder “msg”=“Starting log-enricher on node: aks-primary-29748022-vmss000002” I0129 19:09:14.866518 27546 bpfrecorder.go:154] bpf-recorder “msg”=“Connecting to metrics server” I0129 19:09:14.867108 27546 bpfrecorder.go:170] bpf-recorder “msg”=“Got system mount namespace: 4026531840” I0129 19:09:14.867126 27546 bpfrecorder.go:172] bpf-recorder “msg”=“Doing BPF load/unload self-test” I0129 19:09:14.867139 27546 bpfrecorder.go:371] bpf-recorder “msg”=“Loading bpf module” I0129 19:09:14.867162 27546 bpfrecorder.go:440] bpf-recorder “msg”=“Using system btf file” I0129 19:09:14.867382 27546 bpfrecorder.go:391] bpf-recorder “msg”=“Loading bpf object from module” libbpf: map ‘events’: failed to create: Invalid argument(-22) libbpf: failed to load object ‘recorder.bpf.o’ E0129 19:09:14.871501 27546 logr.go:270] setup “msg”=“running security-profiles-operator” “error”=“load self-test: load bpf object: failed to load BPF object”

  • Cloud provider or hardware configuration: Azure AKS version 1.21.7
  • OS : Linux
  • Kernel (e.g. uname -a): 5.4.0-1067-azure
  • Others: containerd://1.4.9+azure

kubectl get nodes -o wide

❯ k get nodes -o wide

NAME                              STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
aks-primary-29748022-vmss000000   Ready    agent   27h   v1.21.7   10.240.0.4    <none>        Ubuntu 18.04.6 LTS   5.4.0-1067-azure   containerd://1.4.9+azure
aks-primary-29748022-vmss000001   Ready    agent   27h   v1.21.7   10.240.0.5    <none>        Ubuntu 18.04.6 LTS   5.4.0-1067-azure   containerd://1.4.9+azure
aks-primary-29748022-vmss000002   Ready    agent   27h   v1.21.7   10.240.0.6    <none>        Ubuntu 18.04.6 LTS   5.4.0-1067-azure   containerd://1.4.9+azure

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 27 (11 by maintainers)

Most upvoted comments

still pending on AKS, i have reminded them many times . ps it could be related to https://github.com/Azure/AKS/issues/2827

+1
tshaiman on Mar 5, 2022

@saschagrunert : I don’t have insights on how the kernel was built as I’m not part of the AKS team.

+1
tshaiman on Feb 1, 2022
Read more comments on GitHub
← security-profiles-operator: Cannot record Selinux Profile
vsphere-csi-driver: after update to 2.2.0 volume provisioning fails due to vsphere user permissions (but user is Admin) →