Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SELinux support for S3 CSI Driver for EKS Addon #169

Open
GiamPy5 opened this issue Mar 18, 2024 · 6 comments
Open

SELinux support for S3 CSI Driver for EKS Addon #169

GiamPy5 opened this issue Mar 18, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@GiamPy5
Copy link

GiamPy5 commented Mar 18, 2024

/feature

Is your feature request related to a problem? Please describe.
Our enterprise desires all of their instances to be security-hardened with SELinux enabled (we're also installing the CIS buildkit on the AMIs, starting from the EKS-optimized Amazon Linux 2 AMI). However SELinux does not make the s3-plugin container (part of the S3 CSI driver pod) start as it fails to perform a mount operation. AWS Support has advised us to submit a feature request about this issue.

Describe the solution you'd like in detail
Enhance the support of S3 CSI driver for SELinux so that it can work without any issues.

Describe alternatives you've considered
The only alternatives would be to:

  • use audit2allow to generate SELinux custom policies (however it could be tedious to maintain long-term)
  • disable SELinux (the least favourite option)

Additional context
Pod logs:

failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "/proc/395888/mounts" to rootfs at "/host/proc/mounts": change mount propagation through procfd: mount /host/proc/mounts (via /proc/self/fd/6), flags: 0x44000: permission denied: unknown

Audit.log logs:

avc: denied { mounton } for pid=40998 comm="runc:[2:INIT]" path="/run/containerd/io.containerd.runtime.v2.task/k8s.io/c79bb808487e15e9d58a01ad593c8d446fd4bb20643c9ef154437596283ee42b/rootfs/host/proc/mounts" dev="proc" ino=34311 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=file permissive=0

Internal AWS support reference (case ID): 171041866401170

@jjkr
Copy link
Contributor

jjkr commented Mar 20, 2024

Thank you for the request. Are you using the default SELinux policies for Amazon Linux 2?

The driver does have some basic SELinux settings as of 1.4.0 where you can customize the seLinuxOptions on the driver containers (https://github.com/awslabs/mountpoint-s3-csi-driver/blob/main/charts/aws-mountpoint-s3-csi-driver/values.yaml#L16). Depending on how SELinux is configured, this may be enough for some applications, but more investigation is needed to see if that's the case on AL2.

@GiamPy5
Copy link
Author

GiamPy5 commented Mar 20, 2024

I think we are indeed using the default SELinux policies (if there are any? I haven't found any documentation about the SEL policies included with AL2) as the CIS buildkit does not create new SELinux policies, it only enables the enforcement.

As far as I know, AWS Support has reproduced this issue on the AL2 image provided by AWS even without installing the CIS buildkit.

We are relying on EKS addons to install the S3 CSI driver so we don't have control on what's being installed behind the scenes.

@GiamPy5
Copy link
Author

GiamPy5 commented Jun 28, 2024

Any news on this one by any chance?

@muddyfish muddyfish changed the title SELinux support for S3 CSI Driver SELinux support for S3 CSI Driver for EKS Addon Jul 3, 2024
@unexge
Copy link
Contributor

unexge commented Jul 9, 2024

Hey @GiamPy5 sorry for the late response!

I tried to run Mountpoint CSI driver on a SELinux enabled host (AL2023) in “permissive” mode and didn't see any problems other than mounting /proc/mounts as you mentioned.

Currently, we mount /proc/mounts to understand if a given path is a mountpoint or not, in:

  • NodePublishVolume – to understand if a path is already mounted to skip remount
  • NodeUnpublishVolume – to understand if a path is already mounted to skip unmount

We talked within the team, and seems like using Mounter.IsMountPoint from mount-utils would allow us to perform the same check without relying on /proc/mounts.

Mounter.IsMountPoint does the following checks:

  1. Makes a openat2 syscall at target path with RESOLVE_NO_XDEV and checks if it fails with EXDEV
    • This basically says Linux kernel to open a file without traversing mountpoints and kernel returns EXDEV error code if it encounters a mountpoint during the traversal
    • This is supported on Linux kernels 5.6+
  2. Makes a stat syscall at target path, and it's parent, and checks if their device differs
    • This seems like a reliable way for non-bind mountpoints, which should be fine in our case
  3. Parses /proc/mounts
    • This is the same logic as what Mountpoint CSI driver uses today

In order to make sure we don't break non-SELinux users, we'll preserve 3. check by default and allow SELinux users to opt-out from mounting of /proc/mounts.

We're hoping that to allow using Mountpoint CSI driver in SELinux enforced hosts.

@marekhotshot
Copy link

Any update please?

@unexge
Copy link
Contributor

unexge commented Aug 7, 2024

Hey @marekhotshot, we'll make the changes described in #169 (comment), but we don't have a target date yet unfortunately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants