Enhancement Description

• One-line enhancement description (can be used as a release note): Speed up container startup by mounting volumes with the correct SELInux label instead of changing each file on the volumes recursively.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

• Primary contact (assignee): @jsafrane

• Responsible SIGs: sig-storage, sig-node

The KEP describes 3 phases / 3 feature gates.

SELinuxMountReadWriteOncePod:

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.24
  • Beta release target (x.y): 1.27
  • Stable release target (x.y): ≥ 1.35
• Alpha
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-1710: Update SELinux mount ReadWriteOnce optimization for beta #3797
  • Code (k/k) update PR(s):
    • Flip SELinuxMountReadWriteOncePod to Beta kubernetes#116425
  • Docs (k/website) update(s):
    • Add blog for Efficient SELinux volume relabeling (Beta) website#39836

SELinuxChangePolicy

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.32
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): ≥ 1.35
• Alpha
  • KEP (k/enhancements) update PR(s): 1710: Add SELinuxChangePolicy to PodSpec #4843
  • Code (k/k) update PR(s):
    • 1710: Implement SELinuxChangePolicy kubernetes#127981
    • 1710: Add SELinux warning controller kubernetes#128242
    • new/updated test jobs:
  • Docs (k/website) update PR(s):
    • Document SELinuxChangePolicy and SELinuxMount website#48515
• Beta
  • KEP (k/enhancements) update PR(s): 1710: selinux: Update the KEP for 1.33 and graduate to Beta #5096
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

SELinuxMount

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.30
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): ≥ 1.36
• Alpha
  • KEP (k/enhancements) update PR(s): Start SELinuxMount alpha #4436
  • Code (k/k) update PR(s):
    • Add SELinuxMount feature gate kubernetes#123157
    • Add label with access mode to SELinux metrics kubernetes#123667
    • new/updated test jobs:
      • Add CI job for SELinuxMount feature gate test-infra#32125
      • Fix typo in e2e-kops-aws-selinux skips test-infra#32143
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux-alpha
  • Docs (k/website) update PR(s): Document SELinuxMount feature gate website#45280
• Beta
  • KEP (k/enhancements) update PR(s): 1710: selinux: Update the KEP for 1.33 and graduate to Beta #5096 (same as SELinuxChangePolicy)
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):