Speed up recursive SELinux label change

[jsafrane]

Enhancement Description

• One-line enhancement description (can be used as a release note): Speed up container startup by mounting volumes with the correct SELInux label instead of changing each file on the volumes recursively.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

• Primary contact (assignee): @jsafrane

• Responsible SIGs: sig-storage, sig-node

The KEP describes 3 phases / 3 feature gates.

SELinuxMountReadWriteOncePod:

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.24
  • Beta release target (x.y): 1.27
  • Stable release target (x.y): ≥ 1.35
• Alpha
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-1710: Update SELinux mount ReadWriteOnce optimization for beta #3797
  • Code (k/k) update PR(s):
    • Flip SELinuxMountReadWriteOncePod to Beta kubernetes#116425
  • Docs (k/website) update(s):
    • Add blog for Efficient SELinux volume relabeling (Beta) website#39836

SELinuxChangePolicy

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.32
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): ≥ 1.35
• Alpha
  • KEP (k/enhancements) update PR(s): 1710: Add SELinuxChangePolicy to PodSpec #4843
  • Code (k/k) update PR(s):
    • 1710: Implement SELinuxChangePolicy kubernetes#127981
    • 1710: Add SELinux warning controller kubernetes#128242
    • new/updated test jobs:
  • Docs (k/website) update PR(s):
    • Document SELinuxChangePolicy and SELinuxMount website#48515
• Beta
  • KEP (k/enhancements) update PR(s): 1710: selinux: Update the KEP for 1.33 and graduate to Beta #5096
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

SELinuxMount

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.30
  • Beta release target (x.y): 1.33
  • Stable release target (x.y): ≥ 1.36
• Alpha
  • KEP (k/enhancements) update PR(s): Start SELinuxMount alpha #4436
  • Code (k/k) update PR(s):
    • Add SELinuxMount feature gate kubernetes#123157
    • Add label with access mode to SELinux metrics kubernetes#123667
    • new/updated test jobs:
      • Add CI job for SELinuxMount feature gate test-infra#32125
      • Fix typo in e2e-kops-aws-selinux skips test-infra#32143
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux-alpha
  • Docs (k/website) update PR(s): Document SELinuxMount feature gate website#45280
• Beta
  • KEP (k/enhancements) update PR(s): 1710: selinux: Update the KEP for 1.33 and graduate to Beta #5096 (same as SELinuxChangePolicy)
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

[jsafrane]

/sig storage
/sig node

[palnabarun]

Hey @jsafrane -- 1.19 Enhancements Lead here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

1. The KEP PR must be merged in an implementable state
2. The KEP must have test plans
3. The KEP must have graduation criteria.

---

The current release schedule is:

• Monday, April 13: Week 1 - Release cycle begins
• Tuesday, May 19: Week 6 - Enhancements Freeze
• Thursday, June 25: Week 11 - Code Freeze
• Thursday, July 9: Week 14 - Docs must be completed and reviewed
• Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

[palnabarun]

Hi @jsafrane,

Tomorrow, Tuesday May 19 EOD Pacific Time is Enhancements Freeze

Will this enhancement be part of the 1.19 release cycle?

[palnabarun]

@jsafrane -- Unfortunately, the deadline for the 1.19 Enhancement freeze has passed. For now, this is being removed from the milestone and 1.19 tracking sheet. If there is a need to get this in, please file an enhancement exception.

[jsafrane]

@palnabarun hey, we've just merged the KEP yesterday, at the last moment. I admit I did not pay attention to this enhancement issue and focused on the design. Do I really need an exception just to restore the milestone?

[palnabarun]

Do I really need an exception just to restore the milestone?

Yes, an exception would be needed. Here is the process on how to file and exception request.

[palnabarun]

@jsafrane -- Your exception request was approved. I have updated the tracking sheet accordingly.

[palnabarun]

/milestone v1.19

[palnabarun]

/stage alpha

[zestrells]

Hi @jsafrane - My name is Zachary, 1.19 Docs shadow. Is this enhancement work planned for 1.19 and does it require any new docs (or modifications to existing docs)? If not, can you please update the 1.19 Enhancement Tracker Sheet, or let me know, I can do it for you :)
If docs are required, just a friendly reminder that we are looking for a PR against k/website (branch dev-1.19) due by Friday, June 12, it can just be a placeholder PR at this time. Let me know if you have any questions!

[jsafrane]

@zestrells, yes, documentation will be needed. I can't edit the tracking sheet, can you please note it there?

[harshanarayana]

Hey @jsafrane, I am with the enhancements team for the v1.19 release cycle as a shadow.

The code freeze deadline for the Enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that you have already opened for this enhancement and if so, would you be able to point me in the direction of the PR so that the same can be updated in the tracking sheet

Have a wonderful day. 🖖

[zestrells]

Hi @jsafrane - Just a reminder that docs placeholder PR against dev-1.19 is due by June 12th. Does this enhancement require any changes to docs? If so, can you update here with a link to the PR once you have it in place? If not, please update the same, so that the tracking sheet can be updated accordingly. Thanks!

[harshanarayana]

Hey @jsafrane, This is just a reminder that the code freeze for the enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that is already open against this enhancement that needs to be tracked.

Have a wonderful day. 🖖

[jsafrane]

API PR: kubernetes/kubernetes#91838
WIP Docs: kubernetes/website#21773

[harshanarayana]

Hi, @jsafrane

This is a follow-up to the communication that went out to k-dev today. There has been a revision to the release schedule of v1.19 as follows.

Thursday, July 9th: Week 13 - Code Freeze
Thursday, July 16th: Week 14 - Docs must be completed and reviewed
Tuesday, August 25th: Week 20 - Kubernetes v1.19.0 released
Thursday, August 27th: Week 20 - Release Retrospective

You can find the revised Schedule in the sig-release Repo

Please let me know if you have any questions. 🖖

[harshanarayana]

Hi @jsafrane ,

This is just a follow up to my earlier messages on the upcoming deadlines. The code freeze deadline is Thursday, July 9th EOD PST and I noticed that the k/k PRs are still in flight.

For the enhancement to be included into v1.19 this PR needs to be merged before the code freeze deadline.

Please refer to the Exception Process documentation in case if there is a need for one.

[harshanarayana]

/milestone clear
/milestone v1.20

[dipesh-rawat]

Hello @jsafrane 👋, v1.33 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

This enhancement is targeting stage beta for v1.33 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.33.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 6th February 2025 so that the PRR team has enough time to review your KEP.

For this KEP, we would need to update the following:

• Ensure that the KEP has undergone a production readiness review and has been merged into k/enhancements. I see an approved beta PRR (here) but it was for SELinuxMountReadWriteOncePod beta transition, but it’s unclear if SELinuxChangePolicy and SELinuxMount require a separate PRR for their Beta transition. If not, let me know, and I’ll mark it as done in the checklist. Apologies for any confusion.

• Update the kep.yaml to reflect the following:

  • Add latest-milestone: v1.33.
  • Mention stage: beta.
  • Specify beta: "v1.33" for both SELinuxChangePolicy and SELinuxMount.

The status of this enhancement is marked as At risk for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[dipesh-rawat]

Hi @jsafrane 👋, 1.33 Enhancements team here,

Just a quick friendly reminder as we approach the enhancements freeze later this week, at 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

The current status of this enhancement is marked as At risk for enhancement freeze. There are a few requirements mentioned in the comment #1710 (comment) that still need to be completed.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[jsafrane]

@dipesh-rawat with #5096 merged, I think I am fine for 1.33. Please let me know if I missed some field somewhere, I can still fix it quickly.

[dipesh-rawat]

@jsafrane Now that PR #5096 has been merged, all the KEP requirements are in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

/label tracked/yes

[sreeram-venkitesh]

Hi @jsafrane! 👋 v1.33 Docs Shadow here.

Does this enhancement work planned for v1.33 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.33 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 27th February 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[sreeram-venkitesh]

@jsafrane Pinging as a reminder again for the docs placeholder PR deadline! Please open your docs placeholder PR by 27th February, thanks!

[aibarbetta]

Hi @jsafrane 👋 -- this is Agustina (@aibarbetta) from the 1.33 Communications Team!

For the 1.33 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

• This introduces some breaking change(s)
• This has significant impacts and/or implications to users
• ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail 🎉

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Wednesday, 5th March, 2025? For more information about writing a blog, please find the blog contribution guidelines 📚

Tip

Some timeline to keep in mind:

• 02:00 UTC Wednesday, 5th March, 2025: Feature blog PR freeze
• Monday, 7th April, 2025: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[dipesh-rawat]

Hey again @jsafrane 👋, 1.33 Enhancements team here,

Just checking in as we approach code freeze at at 2:00 UTC Friday 21st March 2025 / 19:00 PDT Thursday 20th March 2025.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this KEP, we would need to do the following:

• Ensure all PRs to the Kubernetes repo related to your enhancement are linked in the above issue description (for tracking purposes).
• Ensure all PRs are prepared for merging (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

If you anticipate missing code freeze, you can file an exception request in advance.

The status of this enhancement is marked as at risk for code freeze.

[aibarbetta]

Hi @jsafrane 👋, 1.33 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned above, which is 02:00 UTC Wednesday, 5th March, 2025. I see a blog was written some time ago, has anything changed? would you like to write about it? To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

Tip

Some timeline to keep in mind:

• 02:00 UTC Wednesday, 5th March, 2025: Feature blog PR freeze
• Monday, 7th April, 2025: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[dipesh-rawat]

Hi @jsafrane 👋, 1.33 Enhancements team here,

Just a quick friendly reminder as we approach the code freeze later this week, at 02:00 UTC Friday 21st March 2025 / 19:00 PDT Thursday 20th March 2025.

The current status of this enhancement is marked as At risk for code freeze. There are a few requirements mentioned in the comment #1710 (comment) that still need to be completed.

If you anticipate missing code freeze, you can file an exception request in advance. Thank you!

[dipesh-rawat]

Hi @jsafrane, I just noticed that the following two PRs related to this enhancement have been merged:

• 1710: selinux: Rename SELinuxWarningController metric #5184
• selinux: Promote SELinuxChangePolicy and SELinuxMount to beta kubernetes#130544

Could we please get confirmation that all required changes have been merged and that there are no other PRs remaining or planned before we update the final status of the KEP for code freeze? Just reaching out since we have less than 2 days left before the freeze. Thanks!