website
website copied to clipboard
kubernetes
Announce improved SELinux volume relabelling beta
Description
Document how SELinux feature gates (now beta) work together and potential actions needed before they graduate to GA.
Goals:
- Ensure non-SELinux users that nothing changes for them (= vast majority of users / cluster admins can just ignore all SELinux feature gates).
- Warn users / cluster admins / Kubernetes vendors that use SELinux about potentially breaking changes in a future release. Provide a clear way how to check if they're safe or they need to change anything. This is important to ensure smooth update.
- OpenShift stats show that ~ 1.3% of all clusters would have at least one affected Pod, most of them with just handful of them. Some clusters (~0.3%) have more than 100 affected Pods and may need some work before the breaking upgrade when
SELinuxMountgoes GA + locked. Data taken on 2025-03-24.
- OpenShift stats show that ~ 1.3% of all clusters would have at least one affected Pod, most of them with just handful of them. Some clusters (~0.3%) have more than 100 affected Pods and may need some work before the breaking upgrade when
- Emphasize that ephemeral volumes like
secretsandconfigMapscan be still shared among pods with different SELinux labels.
Random notes:
- Removed note about ReadWriteOncePod feature gate, it's GA and locked.
Issue
KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling Enhancement issue: https://github.com/kubernetes/enhancements/issues/1710
Deploy Preview for kubernetes-io-vnext-staging processing.
| Name | Link |
|---|---|
| Latest commit | 5d6fb08b15f8da587fc3cfc5eb653e0be08a0b7a |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/67e3ebdfb9036b0008e3a80e |
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Pull request preview available for checking
Built without sensitive environment variables
| Name | Link |
|---|---|
| Latest commit | c8a7cac3335590e5f9ab4a85b7b4b4973eb733f4 |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67bf2e1c0dbeae0008c522ab |
| Deploy Preview | https://deploy-preview-49919--kubernetes-io-main-staging.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
Pull request preview available for checking
Built without sensitive environment variables
| Name | Link |
|---|---|
| Latest commit | 5d6fb08b15f8da587fc3cfc5eb653e0be08a0b7a |
| Latest deploy log | https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67e3ebdf93c1ce0008bb6874 |
| Deploy Preview | https://deploy-preview-49919--kubernetes-io-main-staging.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
Placeholders should be marked as work in progress, so:
/retitle [WIP] Announce improved SELinux volume relabelling
Hello @jsafrane :wave: please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday 25th March 2025 18:00 PDT. Thank you!
/approve /hold Doc looks good. Holding for upstream change to be merged. Feel free to unhold when that happens.
@tengqm pardon my ignorance, what "upstream change" should be merged first?
@tengqm pardon my ignorance, what "upstream change" should be merged first?
The upstream change means the PR that promotes the gate in kubernetes/kubernetes.
I think that has merged: https://github.com/kubernetes/kubernetes/pull/130544
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: tengqm
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~content/en/docs/OWNERS~~ [tengqm]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
LGTM label has been added.