Speed up recursive SELinux label change

[jsafrane]

Enhancement Description

• One-line enhancement description (can be used as a release note): Speed up container startup by mounting volumes with the correct SELInux label instead of changing each file on the volumes recursively.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

• Primary contact (assignee): @jsafrane

• Responsible SIGs: sig-storage, sig-node

• Enhancement target (which target equals to which milestone):

  • Alpha release target (x.y): 1.25
  • Beta release target (x.y): 1.27
  • Stable release target (x.y)

• Alpha

  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):

• Beta

  • KEP (k/enhancements) update PR(s):
    • KEP-1710: Update SELinux mount ReadWriteOnce optimization for beta #3797
  • Code (k/k) update PR(s):
    • Flip SELinuxMountReadWriteOncePod to Beta kubernetes#116425
  • Docs (k/website) update(s):
    • Add blog for Efficient SELinux volume relabeling (Beta) website#39836

[jsafrane]

/sig storage
/sig node

[palnabarun]

Hey @jsafrane -- 1.19 Enhancements Lead here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

1. The KEP PR must be merged in an implementable state
2. The KEP must have test plans
3. The KEP must have graduation criteria.

---

The current release schedule is:

• Monday, April 13: Week 1 - Release cycle begins
• Tuesday, May 19: Week 6 - Enhancements Freeze
• Thursday, June 25: Week 11 - Code Freeze
• Thursday, July 9: Week 14 - Docs must be completed and reviewed
• Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

[palnabarun]

Hi @jsafrane,

Tomorrow, Tuesday May 19 EOD Pacific Time is Enhancements Freeze

Will this enhancement be part of the 1.19 release cycle?

[palnabarun]

@jsafrane -- Unfortunately, the deadline for the 1.19 Enhancement freeze has passed. For now, this is being removed from the milestone and 1.19 tracking sheet. If there is a need to get this in, please file an enhancement exception.

[jsafrane]

@palnabarun hey, we've just merged the KEP yesterday, at the last moment. I admit I did not pay attention to this enhancement issue and focused on the design. Do I really need an exception just to restore the milestone?

[palnabarun]

Do I really need an exception just to restore the milestone?

Yes, an exception would be needed. Here is the process on how to file and exception request.

[palnabarun]

@jsafrane -- Your exception request was approved. I have updated the tracking sheet accordingly.

[palnabarun]

/milestone v1.19

[palnabarun]

/stage alpha

[zestrells]

Hi @jsafrane - My name is Zachary, 1.19 Docs shadow. Is this enhancement work planned for 1.19 and does it require any new docs (or modifications to existing docs)? If not, can you please update the 1.19 Enhancement Tracker Sheet, or let me know, I can do it for you :)
If docs are required, just a friendly reminder that we are looking for a PR against k/website (branch dev-1.19) due by Friday, June 12, it can just be a placeholder PR at this time. Let me know if you have any questions!

[jsafrane]

@zestrells, yes, documentation will be needed. I can't edit the tracking sheet, can you please note it there?

[harshanarayana]

Hey @jsafrane, I am with the enhancements team for the v1.19 release cycle as a shadow.

The code freeze deadline for the Enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that you have already opened for this enhancement and if so, would you be able to point me in the direction of the PR so that the same can be updated in the tracking sheet

Have a wonderful day. 🖖

[zestrells]

Hi @jsafrane - Just a reminder that docs placeholder PR against dev-1.19 is due by June 12th. Does this enhancement require any changes to docs? If so, can you update here with a link to the PR once you have it in place? If not, please update the same, so that the tracking sheet can be updated accordingly. Thanks!

[harshanarayana]

Hey @jsafrane, This is just a reminder that the code freeze for the enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that is already open against this enhancement that needs to be tracked.

Have a wonderful day. 🖖

[jsafrane]

API PR: kubernetes/kubernetes#91838
WIP Docs: kubernetes/website#21773

[harshanarayana]

Hi, @jsafrane

This is a follow-up to the communication that went out to k-dev today. There has been a revision to the release schedule of v1.19 as follows.

Thursday, July 9th: Week 13 - Code Freeze
Thursday, July 16th: Week 14 - Docs must be completed and reviewed
Tuesday, August 25th: Week 20 - Kubernetes v1.19.0 released
Thursday, August 27th: Week 20 - Release Retrospective

You can find the revised Schedule in the sig-release Repo

Please let me know if you have any questions. 🖖

[harshanarayana]

Hi @jsafrane ,

This is just a follow up to my earlier messages on the upcoming deadlines. The code freeze deadline is Thursday, July 9th EOD PST and I noticed that the k/k PRs are still in flight.

For the enhancement to be included into v1.19 this PR needs to be merged before the code freeze deadline.

Please refer to the Exception Process documentation in case if there is a need for one.

[harshanarayana]

/milestone clear
/milestone v1.20

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[jsafrane]

/remove-lifecycle rotten

[jsafrane]

Targeting beta in 1.27

/label lead-opted-in
/milestone v1.27
/stage beta

[marosset]

Hello @jsafrane 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT Thursday 9th February 2023.

This enhancement is targeting for stage beta for v1.27 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.27
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this enhancement, it looks like #3797 will address the remaining requirements.

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well.
Thank you!

[jsafrane]

@marosset I think the KEP is fine now, I got PRR approval for beta in #3797

[marosset]

This enhancement meets all the requirements for being included in v1.27 and is now tracked for the release.
Thanks @jsafrane!

[mickeyboxell]

Hi @jsafrane 👋, I’m reaching out from the 1.27 Release Docs team. This enhancement is marked as ‘Needs Docs’ for the 1.27 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.27 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by March 16. For more information, please take a look at Documenting for a release to familiarize yourself with the documentation requirements for the release.

Please feel free to reach out with any questions. Thanks!

[shatoboar]

Hi @jsafrane👋,
Checking in as we approach 1.27 code freeze at 17:00 PDT on Tuesday 14th March 2023.
Please ensure the following items are completed:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PRs are fully merged by the code freeze deadline.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze:

• Add blog for Efficient SELinux volume relabeling (Beta) website#39836

Please let me know what other PRs in k/k I should be tracking for this KEP.
As always, we are here to help should questions come up. Thanks!

[jsafrane]

kubernetes/website#39836 is a blog entry, it has deadline after code freeze.

The only remaining PR that Needs to be merge before the freeze is: kubernetes/kubernetes#116425. I'm working on it.

[jsafrane]

Doc update for Beta (not a placeholder): kubernetes/website#40014

[jsafrane]

BTW, all code was merged before the freeze.

[ibotty]

kubernetes/website#39836 is a blog entry,

It instructs to comment on this KEP when this is not sufficient. It is not for my deployment. I have a large (as in size and file count) CephFS volume that is mounted in multiple pods at the same time. It is only ever mounted with the same fsGroup and selinux context.

I get a CreateContainerError with context deadline exceeded when mounting the volume.

[jsafrane]

copying a paragraph from the blog:

If running two Pods with two different SELinux contexts and using different subPaths of the same volume is necessary in your deployments, please comment in the KEP issue (or upvote any existing comment - it's best not to duplicate). Such pods may not run when the feature is extended to cover all volume access modes.

@ibotty, from what you describe, you run all your Pods that access a big volume with the same fsGroup and SELinux contexts. If that's correct, then you should be fine when the feature gets expanded to all volume access modes (namely ReadWriteMany).

It will take some time to add ReadWriteMany volumes though - we need to catch the cases where things would break first. Like when people run Pods with different SELinux context that access the same volume simultaneously at different subpaths - as kubelet must mount the whole volumes with a single SELinux, not as subpath of it. (kubelet + SELinux is ... not intuitive, I'd say)