Ben Cressey

Can you check `dmesg` on an affected node for `avc` messages? Those correspond to SELinux denials and will help narrow down the issue. Generally I'd expect - and want! -...

Also typically from the admin container you would never see SELinux denials - the processes run with a highly privileged label for break-glass troubleshooting - so it's possible or even...

If the `volumes` directory doesn't contain other state, just device nodes, it might work to mount an additional `emptyDir` volume with the `medium: Memory` option set, so that a new...

A better approach here might be the tool that @webern has pitched to allow for modifications of an existing image. We could support operations like: * modifying root.json to allow...

This issue has bounced between a few milestones, partly because it doesn't map cleanly to a particular Bottlerocket release. It's definitely still on the roadmap, though! I've been working steadily...

@voidlily the CIS benchmark is in the consensus review stage at the moment. It looks like you'd need to sign up at https://workbench.cisecurity.org/ to view the draft benchmark, but depending...

@misterek the bootstrap container approach sounds reasonable. I've also thought about adding support for the benchmark to https://github.com/google/localtoast and integrating that tool into the host, with a corresponding actions API...

@mello7tre and @samuelkarp - I'd love to get your input here.

@gregdek - Hi! 😀 @igorantunes1984 - this isn't being actively worked on right now, and isn't on the roadmap for the year. That said, we're happy to collaborate if you...

Implementation thoughts: We might get away with ordering constraints on the bootstrap container service units, such that they were all `RequiredBy` and `Before` the reconciliation unit. Otherwise we could use...