Speed up recursive SELinux label change

[jsafrane]

Enhancement Description

• One-line enhancement description (can be used as a release note): Speed up container startup by mounting volumes with the correct SELInux label instead of changing each file on the volumes recursively.

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

• Primary contact (assignee): @jsafrane

• Responsible SIGs: sig-storage, sig-node

The KEP describes 3 phases / 3 feature gates.

SELinuxMountReadWriteOncePod:

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.24
  • Beta release target (x.y): 1.27
  • Stable release target (x.y): 1.34
• Alpha
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update PR(s):
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-1710: Update SELinux mount ReadWriteOnce optimization for beta #3797
  • Code (k/k) update PR(s):
    • Flip SELinuxMountReadWriteOncePod to Beta kubernetes#116425
  • Docs (k/website) update(s):
    • Add blog for Efficient SELinux volume relabeling (Beta) website#39836

SELinuxChangePolicy

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.32
  • Beta release target (x.y): 1.33-34
  • Stable release target (x.y): ?
• Alpha
  • KEP (k/enhancements) update PR(s): 1710: Add SELinuxChangePolicy to PodSpec #4843
  • Code (k/k) update PR(s):
    • 1710: Implement SELinuxChangePolicy kubernetes#127981
    • 1710: Add SELinux warning controller kubernetes#128242
    • new/updated test jobs:
  • Docs (k/website) update PR(s):
    • Document SELinuxChangePolicy and SELinuxMount website#48515
• Beta
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

SELinuxMount

• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.30
  • Beta release target (x.y): 1.34-35
  • Stable release target (x.y): ?
• Alpha
  • KEP (k/enhancements) update PR(s): Start SELinuxMount alpha #4436
  • Code (k/k) update PR(s):
    • Add SELinuxMount feature gate kubernetes#123157
    • Add label with access mode to SELinux metrics kubernetes#123667
    • new/updated test jobs:
      • Add CI job for SELinuxMount feature gate test-infra#32125
      • Fix typo in e2e-kops-aws-selinux skips test-infra#32143
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux
      • https://testgrid.k8s.io/google-aws#kops-aws-selinux-alpha
  • Docs (k/website) update PR(s): Document SELinuxMount feature gate website#45280
• Beta
  • KEP (k/enhancements) update PR(s):
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

[jsafrane]

/sig storage
/sig node

[palnabarun]

Hey @jsafrane -- 1.19 Enhancements Lead here. I wanted to check in and see if you think this Enhancement will be graduating in 1.19?

In order to have this part of the release:

1. The KEP PR must be merged in an implementable state
2. The KEP must have test plans
3. The KEP must have graduation criteria.

---

The current release schedule is:

• Monday, April 13: Week 1 - Release cycle begins
• Tuesday, May 19: Week 6 - Enhancements Freeze
• Thursday, June 25: Week 11 - Code Freeze
• Thursday, July 9: Week 14 - Docs must be completed and reviewed
• Tuesday, August 4: Week 17 - Kubernetes v1.19.0 released

[palnabarun]

Hi @jsafrane,

Tomorrow, Tuesday May 19 EOD Pacific Time is Enhancements Freeze

Will this enhancement be part of the 1.19 release cycle?

[palnabarun]

@jsafrane -- Unfortunately, the deadline for the 1.19 Enhancement freeze has passed. For now, this is being removed from the milestone and 1.19 tracking sheet. If there is a need to get this in, please file an enhancement exception.

[jsafrane]

@palnabarun hey, we've just merged the KEP yesterday, at the last moment. I admit I did not pay attention to this enhancement issue and focused on the design. Do I really need an exception just to restore the milestone?

[palnabarun]

Do I really need an exception just to restore the milestone?

Yes, an exception would be needed. Here is the process on how to file and exception request.

[palnabarun]

@jsafrane -- Your exception request was approved. I have updated the tracking sheet accordingly.

[palnabarun]

/milestone v1.19

[palnabarun]

/stage alpha

[zestrells]

Hi @jsafrane - My name is Zachary, 1.19 Docs shadow. Is this enhancement work planned for 1.19 and does it require any new docs (or modifications to existing docs)? If not, can you please update the 1.19 Enhancement Tracker Sheet, or let me know, I can do it for you :)
If docs are required, just a friendly reminder that we are looking for a PR against k/website (branch dev-1.19) due by Friday, June 12, it can just be a placeholder PR at this time. Let me know if you have any questions!

[jsafrane]

@zestrells, yes, documentation will be needed. I can't edit the tracking sheet, can you please note it there?

[harshanarayana]

Hey @jsafrane, I am with the enhancements team for the v1.19 release cycle as a shadow.

The code freeze deadline for the Enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that you have already opened for this enhancement and if so, would you be able to point me in the direction of the PR so that the same can be updated in the tracking sheet

Have a wonderful day. 🖖

[zestrells]

Hi @jsafrane - Just a reminder that docs placeholder PR against dev-1.19 is due by June 12th. Does this enhancement require any changes to docs? If so, can you update here with a link to the PR once you have it in place? If not, please update the same, so that the tracking sheet can be updated accordingly. Thanks!

[harshanarayana]

Hey @jsafrane, This is just a reminder that the code freeze for the enhancement is Thursday, June 25. I am checking in to see if there is any k/k PR that is already open against this enhancement that needs to be tracked.

Have a wonderful day. 🖖

[jsafrane]

API PR: kubernetes/kubernetes#91838
WIP Docs: kubernetes/website#21773

[harshanarayana]

Hi, @jsafrane

This is a follow-up to the communication that went out to k-dev today. There has been a revision to the release schedule of v1.19 as follows.

Thursday, July 9th: Week 13 - Code Freeze
Thursday, July 16th: Week 14 - Docs must be completed and reviewed
Tuesday, August 25th: Week 20 - Kubernetes v1.19.0 released
Thursday, August 27th: Week 20 - Release Retrospective

You can find the revised Schedule in the sig-release Repo

Please let me know if you have any questions. 🖖

[harshanarayana]

Hi @jsafrane ,

This is just a follow up to my earlier messages on the upcoming deadlines. The code freeze deadline is Thursday, July 9th EOD PST and I noticed that the k/k PRs are still in flight.

For the enhancement to be included into v1.19 this PR needs to be merged before the code freeze deadline.

Please refer to the Exception Process documentation in case if there is a need for one.

[harshanarayana]

/milestone clear
/milestone v1.20

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[jsafrane]

/remove-lifecycle stale

[kannon92]

@jsafrane What is your goal for this KEP in 1.32?

[jsafrane]

/milestone v1.32

[dipesh-rawat]

Hello @jsafrane 👋, v1.32 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage beta for v1.32 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.32.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 3rd October 2024 so that the PRR team has enough time to review your KEP.

For this KEP, we would just need to update the following:

• Update kep.yaml to mention latest-milestone: v1.32 and beta: "v1.32"

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[jsafrane]

Update kep.yaml to mention latest-milestone: v1.32 and beta: "v1.32"

Done. I also asked for PRR of the new feature gate SELinuxChangePolicy in 1.32 in #4843

[dipesh-rawat]

Hi @jsafrane 👋, v1.32 Enhancements team here.

Just a quick friendly reminder as we approach the enhancements freeze later this week, at 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

The current status of this enhancement is marked as at risk for enhancement freeze. There are a few requirements mentioned in the comment #1710 (comment) that still need to be completed.

It looks like PR #4843 will address most of these issues. The PR #4843 needs to be merged before the enhancements freeze.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[dipesh-rawat]

Hello @jsafrane 👋, v1.32 Enhancements team here,

Now that PR #4843 has been merged, all the KEP requirements are in place and merged into k/enhancements.

Before the enhancement freeze, it would be appreciated if following nit could be addressed:

• Update issue description to mention PR 1710: Add SELinuxChangePolicy to PodSpec #4843

Aside from the minor nit mentioned above, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is now marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[pacoxu]

• Update issue description to mention PR 1710: Add SELinuxChangePolicy to PodSpec #4843

This is needed.

SELinuxMountReadWriteOncePod:

• Alpha release target (x.y): 1.25
• Beta release target (x.y): 1.27
• Stable release target (x.y)

SELinuxMount

• Alpha release target (x.y): 1.30
• Beta release target (x.y): 1.31-32
• Stable release target (x.y): ?

SELinuxMountReadWriteOncePod and SELinuxMount alpha/beta versions are different from keps/sig-storage/1710-selinux-relabeling/kep.yaml. Would you sync the right version in the issue description? @jsafrane

enhancements/keps/sig-storage/1710-selinux-relabeling/kep.yaml

Lines 23 to 29 in 25777c1

	milestone:
	alpha: "v1.24" # SELinuxMountReadWriteOncePod
	beta: "v1.27" # SELinuxMountReadWriteOncePod
	stable: "v1.34" # Very optimistic plan for SELinuxMountReadWriteOncePod GA, needs SELinuxMount very close to GA
	# alpha: "v1.30" # SELinuxMount
	# alpha: "v1.32" # SELinuxChangePolicy

[jsafrane]

@pacoxu sorry, my bad. I updated this issue description.

[rdalbuquerque]

Hello @jsafrane 👋, 1.32 Docs Shadow here.
Does this enhancement work planned for 1.32 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.32 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday October 24th 2024 18:00 PDT.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

[rytswd]

Hi @jsafrane 👋 -- this is Ryota (@rytswd) from the v1.32 Communications Team!

For the v1.32 release, we are currently in the process of collecting and curating a list of potential feature blogs, and we'd love for you to consider writing one for your enhancement!

As you may be aware, feature blogs are a great way to communicate to users about features which fall into (but not limited to) the following categories:

• This introduces some breaking change(s)
• This has significant impacts and/or implications to users
• ...Or this is a long-awaited feature, which would go a long way to cover the journey more in detail 🎉

To opt in to write a feature blog, could you please let us know and open a "Feature Blog placeholder PR" (which can be only a skeleton at first) against the website repository by Wednesday, 30th Oct 2024? For more information about writing a blog, please find the blog contribution guidelines 📚

Tip

Some timeline to keep in mind:

• 02:00 UTC Wednesday, 30th Oct: Feature blog PR freeze
• Monday, 25th Nov: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[dipesh-rawat]

Hey again @jsafrane 👋 v1.32 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Friday 8th November 2024 / 19:00 PDT Thursday 7th November 2024 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP):

• 1710: Implement SELinuxChangePolicy kubernetes#127981
• 1710: Add SELinux warning controller kubernetes#128242

Additionally, please let me know if there are any other PRs in k/k not listed in the description or linked with this GitHub issue that we should track for this KEP, so that we can maintain accurate status.

The status of this enhancement is marked as at risk for code freeze.

If you anticipate missing code freeze, you can file an exception request in advance. Thank you!

[rdalbuquerque]

Hi @jsafrane , just a reminder to open a draft PR following the steps here.

Thanks

[jsafrane]

Placeholder 1.32 docs: kubernetes/website#48515

[rytswd]

Hi @jsafrane 👋, v1.32 Communications Team here again!

This is a gentle reminder for the feature blog deadline mentioned above, which is 02:00 UTC Wednesday, 30th Oct. To opt in, please let us know and open a Feature Blog placeholder PR against k/website by the deadline. If you have any questions, please feel free to reach out to us!

Tip

Some timeline to keep in mind:

• 02:00 UTC Wednesday, 30th Oct: Feature blog PR freeze
• Monday, 25th Nov: Feature blogs ready for review
• You can find more in the release document

Note

In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[dipesh-rawat]

Hi @jsafrane 👋 v1.32 Enhancements team here,

I see that PR kubernetes/kubernetes#127981 has been merged, implementing SELinuxChangePolicy. Are there any additional code/test changes planned for this KEP needed to progress for release in v1.32? If there are, could you update the issue description so we can track them and ensure accurate status? And if no further changes are expected, please let me know as well. Once I have your update, I’ll adjust the status of this KEP accordingly.

The current status of this enhancement is marked as at risk for code freeze.

Additionally, could you please keep the issue description updated with all the currently known code and documentation PRs targeted for v1.32? It would be really helpful. Thanks!

[dipesh-rawat]

@jsafrane I see that PRs kubernetes/kubernetes#127981 and kubernetes/kubernetes#128242 linked to this KEP issue have been merged. Are there any additional code/test changes planned for this KEP to consider it complete for the v1.32 release, or are we good to mark it as tracked for code freeze now?

[dipesh-rawat]

@jsafrane It seems that there hasn’t been a response to the previous question #1710 (comment), so I’ll assume that the code PR implementations are only kubernetes/kubernetes#127981 and kubernetes/kubernetes#128242. Since both of these have been merged, This enhancement is now marked as tracked for code freeze for the v1.32 Code Freeze!. However, if this assumption is incorrect, please let us know so we can update the status accordingly.