You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-storage/1710-selinux-relabeling/README.md
+9-2Lines changed: 9 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -682,12 +682,19 @@ All these e2e tests use only CSI volumes. All in-tree volume types that support
682
682
* Implemented SELinuxController.
683
683
* Beta of Phase 2 + 3 (`SELinuxChangePolicy` is beta and enabled by default; `SELinuxMount` is beta, but disabled by default).
684
684
* Telemetry numbers from OpenShift show that <5% of clusters would need to change any of their Pods.
685
-
* This phase signalizes that the feature is ready for real testing. Only non-breaking parts (`SELinuxChangePolicy`) are enabled by default.
686
-
* GA of Phase 2 (`SELinuxChangePolicy` + `SELinuxMountReadWriteOncePod` are GA and locked to default):
685
+
* This phase signalizes that the feature is ready for real testing.
686
+
Only non-breaking parts (`SELinuxChangePolicy`) are enabled by default.
687
+
Users willing to test `SELinuxMount` must enable it explicitly.
688
+
* GA of Phase 2 (`SELinuxChangePolicy` + `SELinuxMountReadWriteOncePod` are GA and locked to default, `SELinuxMount` is beta and disabled by default):
687
689
* All known issues fixed. Otherwise, we will GA Phase 1 only.
690
+
* Users can update their clusters safely, there is no breaking change yet.
691
+
Users willing to test `SELinuxMount` must enable it explicitly.
692
+
* This phase allows production clusters to check what Pods (Deployments, StatefulSets) need update and fix them before the breaking part (`SELinuxMount`) is enabled by default in the next phase.
688
693
* GA of Phase 3 (`SELinuxMount` is GA and locked to default):
689
694
* At least 1 release after `SELinuxChangePolicy` is GA to give cluster admins enough time to apply `SELinuxChangePolicy` to their Pods.
690
695
* Telemetry numbers from OpenShift show that <2% of clusters would need to change any of their Pods (i.e. most clusters already applied opt-out).
696
+
* This is the phase that may break existing applications during cluster upgrade.
697
+
Users that use SELinux should carefully evaluate the metrics emitted by kubelet and SELinuxWarningController and fix their workloads before upgrade to this version.
0 commit comments