KEP 1710: Update SELinux mount ReadWriteOnce optimization for 1.26 #3548
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jsafrane The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
sig/storage
|
Not sure if it's needed, the feature was alpha in 1.25 and stays so in 1.26 |
k8s-ci-robot
added
the
lead-opted-in
jsafrane
force-pushed
the
update-selinux-alpha
branch
from
470fa93 to
c43f6d6
Compare
k8s-ci-robot
added
the
cncf-cla: yes
rhockenbury
removed
the
lead-opted-in
|
/retitle KEP 1710: Update SELinux mount ReadWriteOnce optimization for 1.26 |
k8s-ci-robot
changed the title
|
I am linking all volume reconstruction PRs to this enhancement update - I am trying to make as small and independent PRs as possible. |
|
I know we're changing this as part of the SELinux work but I wonder if it's worth having a separate doc just for reconstruction in general. There are other issues that would be great to fix such as reconstructing global mounts, and supporting non-mounting csi drivers. |
jsafrane
force-pushed
the
update-selinux-alpha
branch
from
869fba3 to
6e0342b
Compare
That sounds good. Where the document should be? We still have https://github.com/kubernetes/community/tree/master/contributors/devel/sig-storage, but IMO it's not a good place. |
| This metric captures nr. of failed Pod starts, including periodic retries. | ||
| 1. `volume_manager_selinux_volume_context_mismatch_errors_total` + `volume_manager_selinux_volume_context_mismatch_warnings_total`: Number of errors when a Pod uses a volume that is already mounted with a different SELinux context than the Pod needs. | ||
| Before this feature, both pods would start, but only one such pod could access the volume. | ||
| With this feature, one of the Pods won't even start. |
There was a problem hiding this comment.
We briefly discussed rejecting such pods via pod admission in future. Are we still planning to do that?
There was a problem hiding this comment.
Kubelet admission already rejects RWOP pods that use a volume that is already used.
We could add the same for Pods with mismatching SELinux contexts, however, some volume types (e.g. NFS) might support a volume mounted on a node several times with different contexts.
I opened #3763 |
|
/close |
|
@jsafrane: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Update "Speed up recursive SELinux label change" for Kubernetes 1.26
Issue link: Speed up recursive SELinux label change #1710
Updated the checkboxes at the beginning with the current state.
Added metrics.
Added details about volume reconstruction refactoring.
The feature stays in alpha in 1.26.