Merge pull request #2253 from ConnorJC3/selinux-mounts

Selinux Mount Option
kubernetes-sigs · Dec 20, 2024 · 2c546a8 · 2c546a8
2 parents d99da6d + 2eefc58
commit 2c546a8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/aws-ebs-csi-driver/templates/_node.tpl
@@ -131,6 +131,12 @@ spec:
               mountPath: /csi
             - name: device-dir
               mountPath: /dev
+            {{- if .Values.node.selinux }}
+            - name: selinux-sysfs
+              mountPath: /sys/fs/selinux
+            - name: selinux-config
+              mountPath: /etc/selinux/config
+            {{- end }}
           {{- with .Values.node.volumeMounts }}
           {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -248,6 +254,18 @@ spec:
           hostPath:
             path: /dev
             type: Directory
+        {{- if .Values.node.selinux }}
+        - name: selinux-sysfs
+          hostPath:
+            path: /sys/fs/selinux
+            type: Directory
+            readOnly: true
+        - name: selinux-config
+          hostPath:
+            path: /etc/selinux/config
+            type: File
+            readOnly: true
+        {{- end }}
         - name: probe-dir
           {{- if .Values.node.probeDirVolume }}
           {{- toYaml .Values.node.probeDirVolume | nindent 10 }}

diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml
@@ -348,6 +348,9 @@ controller:
   # Enable dnsConfig for the controller and node pods
   dnsConfig: {}
 node:
+  # Enable SELinux-only optimizations on the EBS CSI Driver node pods
+  # Must only be set true if all linux nodes in the DaemonSet have SELinux enabled
+  selinux: false
   env: []
   envFrom: []
   kubeletPath: /var/lib/kubelet