Remove the namespace from security profiles path

ccojocar · k8s-ci-robot · commit 7c62cf2ec7dd · 2025-02-25T04:40:29.000-08:00
Change-Id: I34c8a88d0af12a567b03c968fa1cdfe68ae68fc4
Signed-off-by: Cosmin Cojocar &lt;ccojocar@google.com&gt;
diff --git a/internal/pkg/manager/workloadannotator/workloadannotator.go b/internal/pkg/manager/workloadannotator/workloadannotator.go
@@ -43,7 +43,7 @@ const (
 	linkedPodsKey     = ".metadata.activeWorkloads"
 	StatusToProfLabel = "spo.x-k8s.io/profile-id"
 	reconcileTimeout  = 1 * time.Minute
-	pathParts         = 3
+	pathParts         = 2
 )
 
 // NewController returns a new empty controller instance.
@@ -129,8 +129,8 @@ func (r *PodReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 			continue
 		}
 
-		profileNamespace := profileElements[1]
-		profileName := strings.TrimSuffix(profileElements[2], ".json")
+		profileNamespace := "" // It is a cluster wide profile.
+		profileName := strings.TrimSuffix(profileElements[1], ".json")
 		seccompProfile := &seccompprofileapi.SeccompProfile{}
 
 		if err := r.client.Get(ctx, util.NamespacedName(profileName, profileNamespace), seccompProfile); err != nil {
@@ -152,7 +152,7 @@ func (r *PodReconciler) Reconcile(ctx context.Context, req reconcile.Request) (r
 		profileName := strings.TrimSuffix(profileIndex, profileSuffix)
 
 		selinuxProfile := &selinuxprofileapi.SelinuxProfile{}
-		if err := r.client.Get(ctx, util.NamespacedName(profileName, pod.GetNamespace()), selinuxProfile); err != nil {
+		if err := r.client.Get(ctx, util.NamespacedName(profileName, ""), selinuxProfile); err != nil {
 			logger.Error(err, "could not get selinux profile for pod")
 
 			return reconcile.Result{}, fmt.Errorf("looking up SelinuxProfile for new or updated pod: %w", err)
@@ -317,7 +317,7 @@ func getSelinuxProfilesFromPod(ctx context.Context, r *PodReconciler, pod *corev
 	// try to get profile from pod securityContext
 	sc := pod.Spec.SecurityContext
 	if sc != nil {
-		if isOperatorSelinuxType(ctx, r, sc.SELinuxOptions, pod.GetNamespace()) {
+		if isOperatorSelinuxType(ctx, r, sc.SELinuxOptions, "") {
 			profiles = append(profiles, sc.SELinuxOptions.Type)
 		}
 	}
@@ -328,7 +328,7 @@ func getSelinuxProfilesFromPod(ctx context.Context, r *PodReconciler, pod *corev
 	for i := range containers {
 		sc := containers[i].SecurityContext
 		if sc != nil {
-			if isOperatorSelinuxType(ctx, r, sc.SELinuxOptions, pod.GetNamespace()) {
+			if isOperatorSelinuxType(ctx, r, sc.SELinuxOptions, "") {
 				profileString := containers[i].SecurityContext.SELinuxOptions.Type
 				if !util.Contains(profiles, profileString) {
 					profiles = append(profiles, profileString)
diff --git a/internal/pkg/manager/workloadannotator/workloadannotator_test.go b/internal/pkg/manager/workloadannotator/workloadannotator_test.go
@@ -27,8 +27,8 @@ import (
 func TestGetSeccompProfilesFromPod(t *testing.T) {
 	t.Parallel()
 
-	profilePath := "operator/default/test.json"
-	profilePath2 := "operator/default/test2.json"
+	profilePath := "operator/test.json"
+	profilePath2 := "operator/test2.json"
 	cases := []struct {
 		name string
 		pod  corev1.Pod
@@ -211,11 +211,11 @@ func TestGetSeccompProfilesFromPod(t *testing.T) {
 	}{
 		{
 			name:    "NoSuffix",
-			profile: "operator/default/test",
+			profile: "operator/test",
 		},
 		{
 			name:    "BadSuffix",
-			profile: "operator/default/test.js",
+			profile: "operator/test.js",
 		},
 		{
 			name:    "WrongPath",
