Don't guess SELinux support on error

[jsafrane]

When GetSELinuxSupport() fails, don't assume a mounted filesystem does not support SELinux at all. Try again instead in the next SetUp retry.

This may hurt performance a bit, since kubelet will call NodePublishVolume again, but it's better than providing wrong information to the container runtime that will then skip relabeling of the volume.

What type of PR is this?

/kind bug

Which issue(s) this PR fixes:

Fixes #105933

Does this PR introduce a user-facing change?

Fixed applying of SELinux labels to CSI volumes on very busy systems (with "error checking for SELinux support: could not get consistent content of /proc/self/mountinfo after 3 attempts")

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[k8s-ci-robot]

@jsafrane: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/volume/OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mattcary]

/lgtm

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[k8s-triage-robot]

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

• The PR does have any do-not-merge/* labels
• The PR does not have the needs-ok-to-test label
• The PR is mergeable (does not have a needs-rebase label)
• The PR is approved (has cncf-cla: yes, lgtm, approved labels)
• The PR is failing tests required for merge

You can:

• Review the full test history for this PR
• Prevent this bot from retesting with /lgtm cancel or /hold
• Help make our tests less flaky by following our Flaky Tests Guide

/retest

[gnufied]

I wonder if this will cause regression in environments that don't even have selinux enabled. Could we check if host supports selinux before even querying mount info, so as hosts that don't support selinux do not incur the potential overhead of reading mount table?

[jsafrane]

Added a check for SELinux support in the OS via pkg/util/selinux.SELinuxEnabled`, which should be cached after the first invocation.

[gnufied]

Putting on hold to address comment above.

/hold

[jsafrane]

Added SELinux detection + fixed unit tests not to return error from GetSELinuxSupport.

[gnufied]

/hold cancel
/lgtm

[jsafrane]

/retest
vendor/k8s.io/apimachinery/pkg/util/httpstream/spdy unit test failed?

[jsafrane]

/priority important-soon