selinux: Ignore pods with Recursive policy

Pod that explicitly opted into "seLinuxChangePolicy: Recursive" should not
report conflicts with another SELinux labels. They will only report a
conflict with other Pods using the same volume with "seLinuxChangePolicy:
Mount" (or nil).

Author: jsafrane

pkg/controller/volume/selinuxwarning/selinux_warning_controller.go

@@ -451,10 +451,9 @@ func (c *Controller) syncPod(ctx context.Context, pod *v1.Pod) error {
 			continue
 		}
 
-		// Ignore how the volume is going to be mounted.
-		// Report any errors when a volume is used by two pods with different SELinux labels regardless of their
-		// SELinuxChangePolicy
-		seLinuxLabel := mountInfo.SELinuxProcessLabel
+		// Use the same label as kubelet will use for mount -o context.
+		// If the Pod has opted in to Recursive policy, it will be empty string here and no conflicts will be reported for it.
+		seLinuxLabel := mountInfo.SELinuxMountLabel
 
 		err = c.syncVolume(logger, pod, spec, seLinuxLabel, mountInfo.PluginSupportsSELinuxContextMount)
 		if err != nil {