Selinux mount option

Signed-off-by: Connor Catlett <[email protected]>
kubernetes-sigs · Dec 19, 2024 · 2eefc58 · 2eefc58
1 parent 39822b5
commit 2eefc58
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/aws-ebs-csi-driver/templates/_node.tpl
@@ -127,6 +127,12 @@ spec:
               mountPath: /csi
             - name: device-dir
               mountPath: /dev
+            {{- if .Values.node.selinux }}
+            - name: selinux-sysfs
+              mountPath: /sys/fs/selinux
+            - name: selinux-config
+              mountPath: /etc/selinux/config
+            {{- end }}
           {{- with .Values.node.volumeMounts }}
           {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -244,6 +250,18 @@ spec:
           hostPath:
             path: /dev
             type: Directory
+        {{- if .Values.node.selinux }}
+        - name: selinux-sysfs
+          hostPath:
+            path: /sys/fs/selinux
+            type: Directory
+            readOnly: true
+        - name: selinux-config
+          hostPath:
+            path: /etc/selinux/config
+            type: File
+            readOnly: true
+        {{- end }}
         - name: probe-dir
           {{- if .Values.node.probeDirVolume }}
           {{- toYaml .Values.node.probeDirVolume | nindent 10 }}

diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml
@@ -342,6 +342,9 @@ controller:
   # Enable dnsConfig for the controller and node pods
   dnsConfig: {}
 node:
+  # Enable SELinux-only optimizations on the EBS CSI Driver node pods
+  # Must only be set true if all linux nodes in the DaemonSet have SELinux enabled
+  selinux: false
   env: []
   envFrom: []
   kubeletPath: /var/lib/kubelet