From 2eefc58cb8b50325cb1b45c8f70945909bed1c5d Mon Sep 17 00:00:00 2001 From: Connor Catlett Date: Wed, 4 Dec 2024 14:53:29 +0000 Subject: [PATCH] Selinux mount option Signed-off-by: Connor Catlett --- charts/aws-ebs-csi-driver/templates/_node.tpl | 18 ++++++++++++++++++ charts/aws-ebs-csi-driver/values.yaml | 3 +++ 2 files changed, 21 insertions(+) diff --git a/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/aws-ebs-csi-driver/templates/_node.tpl index ec2e47878c..6c2c5eec24 100644 --- a/charts/aws-ebs-csi-driver/templates/_node.tpl +++ b/charts/aws-ebs-csi-driver/templates/_node.tpl @@ -127,6 +127,12 @@ spec: mountPath: /csi - name: device-dir mountPath: /dev + {{- if .Values.node.selinux }} + - name: selinux-sysfs + mountPath: /sys/fs/selinux + - name: selinux-config + mountPath: /etc/selinux/config + {{- end }} {{- with .Values.node.volumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -244,6 +250,18 @@ spec: hostPath: path: /dev type: Directory + {{- if .Values.node.selinux }} + - name: selinux-sysfs + hostPath: + path: /sys/fs/selinux + type: Directory + readOnly: true + - name: selinux-config + hostPath: + path: /etc/selinux/config + type: File + readOnly: true + {{- end }} - name: probe-dir {{- if .Values.node.probeDirVolume }} {{- toYaml .Values.node.probeDirVolume | nindent 10 }} diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml index 45579b8fad..48bfd4639b 100644 --- a/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/aws-ebs-csi-driver/values.yaml @@ -342,6 +342,9 @@ controller: # Enable dnsConfig for the controller and node pods dnsConfig: {} node: + # Enable SELinux-only optimizations on the EBS CSI Driver node pods + # Must only be set true if all linux nodes in the DaemonSet have SELinux enabled + selinux: false env: [] envFrom: [] kubeletPath: /var/lib/kubelet