Support Bottlerocket OS

[yubingjiaocn]

/feature

Is your feature request related to a problem? Please describe.

When I'm trying to mount S3 bucket to a pod running on Bottlerocket OS worker node, mount failed and the error on pod events said:

MountVolume.SetUp failed for volume "<Redacted>" : rpc error: code = Internal desc = Could not mount "<Redacted>" at "/var/lib/kubelet/pods/<Redacted>/volumes/kubernetes.io~csi/<Redacted>/mount": Mount failed: Failed to start systemd unit on host: SELinux policy denies access: Permission denied output:

System Info from kubectl describe node:

  Kernel Version:             5.15.136
  OS Image:                   Bottlerocket OS 1.16.1 (aws-k8s-1.27-nvidia)
  Operating System:           linux
  Architecture:               amd64
  Container Runtime Version:  containerd://1.6.24+bottlerocket
  Kubelet Version:            v1.27.7-eks-1670f88
  Kube-Proxy Version:         v1.27.7-eks-1670f88

Describe the solution you'd like in detail

I know Bottlerocket is not at the first batch of support. Is there any workaround or ETA to support Bottlerocket?

[jjkr]

Thank you for the feature request. I do not have a workaround or ETA to share at this time unfortunately, but Bottlerocket is a great option for a k8s OS and I agree it would be awesome if the driver added compatibility.

As you're seeing it's the SELinux configuration that prevents this from functioning currently. Bottlerocket is security focused, so has a very locked down SELinux configuration that the CSI driver will need to work with specifically.

[nalshamaajc]

Is configuring SELinux to add the permissions required by the driver from userdata an option here?

[yubingjiaocn]

Hi @nalshamaajc . Tweaking SELinux on Bottlerocket seems is a good approach, but I'm not familiar with SELinux and don't know what to adjust. Per Bottlerocket doc, define super_t label to CSI node container may be a way to grant permission. Or do you have any specific label to attach? Thx.

[saikumarch7548]

@yubingjiaocn , @nalshamaajc can you please help letting us know if you tired enabling SELinux on bottlerocket

[evgeni-roif-gong]

I believe you cannot add this to bottlerocket using SElinux as the actual CSI uses systemd to mount the storage. Meaning they need to rewrite the code to enable this.

[sumeet-zuora]

Will there be support for this? and do we have ETA for same

[dlakhaws]

The team is actively working on this feature. We'll update this issue when we release this feature.

[jjkr]

Bottlerocket support has been released in v1.4.0. It is currently available via helm install and will be rolling out as an eks addon next week.