@@ -698,27 +698,24 @@ below have no effect.
698698Kubernetes v1.27 introduced an early limited form of this behavior that was only applicable
699699to volumes (and PersistentVolumeClaims) using the `ReadWriteOncePod` access mode.
700700
701- Kubernetes v1.33 promotes `SELinuxChangePolicy` and `SELinuxMount`
701+ Kubernetes v1.36 promotes `SELinuxChangePolicy` and `SELinuxMount`
702702[feature gates](/docs/reference/command-line-tools-reference/feature-gates/)
703- as beta to widen that performance improvement to other kinds of PersistentVolumeClaims,
704- as explained in detail below. While in beta, `SELinuxMount` is still disabled by default.
703+ as GA to widen that performance improvement to other kinds of PersistentVolumeClaims,
704+ as explained in detail below. `SELinuxMount` is still disabled by default.
705705{{< /note >}}
706706
707- With `SELinuxMount` feature gate disabled (the default in Kubernetes 1.33 and any previous release),
707+ With `SELinuxMount` feature gate disabled (the default in Kubernetes 1.36 and any previous release),
708708the container runtime recursively assigns SELinux label to all
709709files on all Pod volumes by default. To speed up this process, Kubernetes can change the
710710SELinux label of a volume instantly by using a mount option
711711` -o context=<label>` .
712712
713713To benefit from this speedup, all these conditions must be met :
714714
715- * The [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
716- ` SELinuxMountReadWriteOncePod` must be enabled.
717715* Pod must use PersistentVolumeClaim with applicable `accessModes` and [feature gates](/docs/reference/command-line-tools-reference/feature-gates/):
718- * Either the volume has `accessModes: ["ReadWriteOncePod"]`, and feature gate `SELinuxMountReadWriteOncePod` is enabled.
719- * Or the volume can use any other access modes and all feature gates
720- ` SELinuxMountReadWriteOncePod` , `SELinuxChangePolicy` and `SELinuxMount` must be enabled
721- and the Pod has `spec.securityContext.seLinuxChangePolicy` either nil (default) or `MountOption`.
716+ * Either the volume has `accessModes: ["ReadWriteOncePod"]`.
717+ * Or the volume can use any other access modes, and the feature gate `SELinuxMount` is enabled,
718+ and the Pod has `spec.securityContext.seLinuxChangePolicy` either nil (default) or `MountOption`.
722719* Pod (or all its Containers that use the PersistentVolumeClaim) must
723720 have `seLinuxOptions` set.
724721* The corresponding PersistentVolume must be either:
@@ -779,11 +776,12 @@ The following feature gates control the behavior of SELinux volume relabeling:
779776
780777* `SELinuxMountReadWriteOncePod`: enables the optimization for volumes with `accessModes: ["ReadWriteOncePod"]`.
781778 This is a very safe feature gate to enable, as it cannot happen that two pods can share one single volume with
782- this access mode. This feature gate is enabled by default sine v1 .28.
779+ this access mode. This feature gate is enabled by default since 1 .28 and is GA in 1.36 .
783780* `SELinuxChangePolicy`: enables `spec.securityContext.seLinuxChangePolicy` field in Pod and related SELinuxWarningController
784781 in kube-controller-manager. This feature can be used before enabling `SELinuxMount` to check Pods running on a cluster,
785782 and to pro-actively opt-out Pods from the optimization.
786- This feature gate requires `SELinuxMountReadWriteOncePod` enabled. It is beta and enabled by default in 1.33.
783+ This feature gate requires `SELinuxMountReadWriteOncePod` enabled. It is beta and enabled by default since 1.33
784+ and GA in 1.36.
787785* `SELinuxMount` enables the optimization for all eligible volumes. Since it can break existing workloads, we recommend
788786 enabling `SELinuxChangePolicy` feature gate + SELinuxWarningController first to check the impact of the change.
789787 This feature gate requires `SELinuxMountReadWriteOncePod` and `SELinuxChangePolicy` enabled. It is beta, but disabled
0 commit comments