Add SELinux options for Bottlerocket (#155)

Make SELinux options for the container's context configurable and defaulting to bottlerocket supporting values. Compatibility with bottlerocket depends on currently unreleased changes.
awslabs · Feb 27, 2024 · 8d574fe · 8d574fe
1 parent 36aa2b8
commit 8d574fe
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 2 deletions.
diff --git a/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml b/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml
@@ -46,6 +46,14 @@ spec:
       initContainers:
         - name: install-mountpoint
           image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
+          {{- with .Values.node.seLinuxOptions }}
+          securityContext:
+            seLinuxOptions:
+              user: {{ .user }}
+              type: {{ .type }}
+              role: {{ .role }}
+              level: {{ .level }}
+          {{- end }}
           imagePullPolicy: IfNotPresent
           command:
             - "/bin/install-mp"
@@ -58,6 +66,14 @@ spec:
       containers:
         - name: s3-plugin
           image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
+          {{- with .Values.node.seLinuxOptions }}
+          securityContext:
+            seLinuxOptions:
+              user: {{ .user }}
+              type: {{ .type }}
+              role: {{ .role }}
+              level: {{ .level }}
+          {{- end }}
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=$(CSI_ENDPOINT)

diff --git a/charts/aws-mountpoint-s3-csi-driver/values.yaml b/charts/aws-mountpoint-s3-csi-driver/values.yaml
@@ -13,8 +13,11 @@ node:
   kubeletPath: /var/lib/kubelet
   mountpointInstallPath: /opt/mountpoint-s3-csi/bin/ # should end with "/"
   logLevel: 4
-  containerSecurityContext:
-    privileged: true
+  seLinuxOptions:
+    user: system_u
+    type: super_t
+    role: system_r
+    level: s0
   serviceAccount:
     # Specifies whether a service account should be created
     create: true

diff --git a/deploy/kubernetes/base/node-daemonset.yaml b/deploy/kubernetes/base/node-daemonset.yaml
@@ -28,6 +28,12 @@ spec:
           tolerationSeconds: 300
       initContainers:
         - name: install-mountpoint
+          securityContext:
+            seLinuxOptions:
+              user: system_u
+              type: super_t
+              role: system_r
+              level: s0
           image: csi-driver
           imagePullPolicy: IfNotPresent
           command:
@@ -42,6 +48,11 @@ spec:
         - name: s3-plugin
           securityContext:
             privileged: false
+            seLinuxOptions:
+              user: system_u
+              type: super_t
+              role: system_r
+              level: s0
           image: csi-driver
           imagePullPolicy: IfNotPresent
           args: