From 9787cfe7ca81ed160b88a747c135b9b0b73cddce Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Thu, 20 Aug 2020 21:58:03 +0000
Subject: [PATCH] use superpowered label for the API agent

Bottlerocket now requires containers to opt-in to API access by using
either the `control_t` or `super_t` labels.

Since `control_t` is not available on older versions of Bottlerocket,
set `super_t` instead until the new version is widely available.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 update-operator.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/update-operator.yaml b/update-operator.yaml
index 19868f2c..d10804ea 100644
--- a/update-operator.yaml
+++ b/update-operator.yaml
@@ -191,6 +191,12 @@ spec:
           volumeMounts:
             - name: bottlerocket-api-socket
               mountPath: /run/api.sock
+          securityContext:
+            seLinuxOptions:
+              user: system_u
+              role: system_r
+              type: super_t
+              level: s0
       volumes:
         - name: bottlerocket-api-socket
           hostPath: