Open GiamPy5 opened 3 months ago
Thank you for the request. Are you using the default SELinux policies for Amazon Linux 2?
The driver does have some basic SELinux settings as of 1.4.0 where you can customize the seLinuxOptions
on the driver containers (https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/charts/aws-mountpoint-s3-csi-driver/values.yaml#L16). Depending on how SELinux is configured, this may be enough for some applications, but more investigation is needed to see if that's the case on AL2.
I think we are indeed using the default SELinux policies (if there are any? I haven't found any documentation about the SEL policies included with AL2) as the CIS buildkit does not create new SELinux policies, it only enables the enforcement.
As far as I know, AWS Support has reproduced this issue on the AL2 image provided by AWS even without installing the CIS buildkit.
We are relying on EKS addons to install the S3 CSI driver so we don't have control on what's being installed behind the scenes.
Any news on this one by any chance?
/feature
Is your feature request related to a problem? Please describe. Our enterprise desires all of their instances to be security-hardened with SELinux enabled (we're also installing the CIS buildkit on the AMIs, starting from the EKS-optimized Amazon Linux 2 AMI). However SELinux does not make the s3-plugin container (part of the S3 CSI driver pod) start as it fails to perform a mount operation. AWS Support has advised us to submit a feature request about this issue.
Describe the solution you'd like in detail Enhance the support of S3 CSI driver for SELinux so that it can work without any issues.
Describe alternatives you've considered The only alternatives would be to:
Additional context Pod logs:
Audit.log logs:
Internal AWS support reference (case ID): 171041866401170