feat(al2023): install `container-selinux` for SELinux enforcing mode

[jihed]

What happened: When enable SELINUX=enforcing mode on al2023. The nodeadm fails to run and the node couldn't join the cluster. I found that the EKS AMI is missing container-selinux rpm

What you expected to happen: The EKS AMI with all flavor have the all the rpm needed for SELINUX enforcing mode.

How to reproduce it (as minimally and precisely as possible): Deploy EKS cluster with node that have selinux with enforcing mode like in this: linux. Environment:

• AWS Region: Any region
• Instance Type(s): Any
• Cluster Kubernetes version: v1.31.0-eks-a737599
• Node Kubernetes version:
• AMI Version: Amazon Linux 2023.5.20240916

[cartermckinnon]

AL2023 does not use The SELinux "enforcing" mode by default, that's why this package is not installed. If you want to enable enforcing mode on your nodes, you would need to install the necessary dependencies. If you want to open a PR to add some of this to the AMI, feel free 👍

[nmangalia]

Thanks @jihed for opening this issue. Basically there is no AWS doc/guide which says that the package "container-selinux" must be installed if SELINUX is enabled in "Enforcing" mode.

In other word, the current AWS EKS AL2023 AMIs are not supporting SELINUX enforcing mode.

now, let's talk about just normal AL2023 base OS AMI. if any customer installs 'docker" with SELINUX enforcing mode, will it work? Since the problem is known to us, it is easy for us to fix it but if it is unknown to the customer who are using SELINUX enforcing mode (required by AL2023 CIS benchmark level 2), it will be a blocker.

In my opinion, to reduce the overall impact of current AL2023 AMI with SELINUX enforcing mode, we must have all the required package installed in the base OS AMI itself or we must say that if you are using SELINUX enforcing mode then these are the must packages.