From d39da248e36318d4b532f615bd2333cccde67f05 Mon Sep 17 00:00:00 2001
From: Joe Kramer <joekram@amazon.com>
Date: Sat, 17 Feb 2024 00:13:25 +0000
Subject: [PATCH 1/3] Add SELinux options for bottlerocket

---
 .../templates/node.yaml                          | 16 ++++++++++++++++
 charts/aws-mountpoint-s3-csi-driver/values.yaml  |  7 +++++--
 .../static_provisioning/static_provisioning.yaml |  2 +-
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml b/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml
index b1ec58a7..7e5d78d5 100644
--- a/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml
+++ b/charts/aws-mountpoint-s3-csi-driver/templates/node.yaml
@@ -46,6 +46,14 @@ spec:
       initContainers:
         - name: install-mountpoint
           image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
+          {{- with .Values.node.seLinuxOptions }}
+          securityContext:
+            seLinuxOptions:
+              user: {{ .user }}
+              type: {{ .type }}
+              role: {{ .role }}
+              level: {{ .level }}
+          {{- end }}
           imagePullPolicy: IfNotPresent
           command:
             - "/bin/install-mp"
@@ -58,6 +66,14 @@ spec:
       containers:
         - name: s3-plugin
           image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
+          {{- with .Values.node.seLinuxOptions }}
+          securityContext:
+            seLinuxOptions:
+              user: {{ .user }}
+              type: {{ .type }}
+              role: {{ .role }}
+              level: {{ .level }}
+          {{- end }}
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=$(CSI_ENDPOINT)
diff --git a/charts/aws-mountpoint-s3-csi-driver/values.yaml b/charts/aws-mountpoint-s3-csi-driver/values.yaml
index 138594a5..09cf4a3b 100644
--- a/charts/aws-mountpoint-s3-csi-driver/values.yaml
+++ b/charts/aws-mountpoint-s3-csi-driver/values.yaml
@@ -13,8 +13,11 @@ node:
   kubeletPath: /var/lib/kubelet
   mountpointInstallPath: /opt/mountpoint-s3-csi/bin/ # should end with "/"
   logLevel: 4
-  containerSecurityContext:
-    privileged: true
+  seLinuxOptions:
+    user: system_u
+    type: super_t
+    role: system_r
+    level: s0
   serviceAccount:
     # Specifies whether a service account should be created
     create: true
diff --git a/examples/kubernetes/static_provisioning/static_provisioning.yaml b/examples/kubernetes/static_provisioning/static_provisioning.yaml
index c8d501ee..a0e16fb1 100644
--- a/examples/kubernetes/static_provisioning/static_provisioning.yaml
+++ b/examples/kubernetes/static_provisioning/static_provisioning.yaml
@@ -14,7 +14,7 @@ spec:
     driver: s3.csi.aws.com # required
     volumeHandle: s3-csi-driver-volume
     volumeAttributes:
-      bucketName: s3-csi-driver
+      bucketName: s3-csi-driver-test-jjk
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

From 73d7f68a91d1dfabcd2174e88ede59af90c89dcd Mon Sep 17 00:00:00 2001
From: Joe Kramer <joekram@amazon.com>
Date: Mon, 26 Feb 2024 23:15:08 +0000
Subject: [PATCH 2/3] Remove test bucket

---
 .../kubernetes/static_provisioning/static_provisioning.yaml     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/kubernetes/static_provisioning/static_provisioning.yaml b/examples/kubernetes/static_provisioning/static_provisioning.yaml
index a0e16fb1..c8d501ee 100644
--- a/examples/kubernetes/static_provisioning/static_provisioning.yaml
+++ b/examples/kubernetes/static_provisioning/static_provisioning.yaml
@@ -14,7 +14,7 @@ spec:
     driver: s3.csi.aws.com # required
     volumeHandle: s3-csi-driver-volume
     volumeAttributes:
-      bucketName: s3-csi-driver-test-jjk
+      bucketName: s3-csi-driver
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

From 822ede0466360d5a1fc6036936925cd266734225 Mon Sep 17 00:00:00 2001
From: Joe Kramer <joekram@amazon.com>
Date: Tue, 27 Feb 2024 15:14:38 +0000
Subject: [PATCH 3/3] Update kustomization

---
 deploy/kubernetes/base/node-daemonset.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/deploy/kubernetes/base/node-daemonset.yaml b/deploy/kubernetes/base/node-daemonset.yaml
index f7f3a700..259daf03 100644
--- a/deploy/kubernetes/base/node-daemonset.yaml
+++ b/deploy/kubernetes/base/node-daemonset.yaml
@@ -28,6 +28,12 @@ spec:
           tolerationSeconds: 300
       initContainers:
         - name: install-mountpoint
+          securityContext:
+            seLinuxOptions:
+              user: system_u
+              type: super_t
+              role: system_r
+              level: s0
           image: csi-driver
           imagePullPolicy: IfNotPresent
           command:
@@ -42,6 +48,11 @@ spec:
         - name: s3-plugin
           securityContext:
             privileged: false
+            seLinuxOptions:
+              user: system_u
+              type: super_t
+              role: system_r
+              level: s0
           image: csi-driver
           imagePullPolicy: IfNotPresent
           args: