SELinux prevents local-path provisioner PV dirs from being cleaned up

[zc-devs]

k3s-io/k3s#10130 was fixed in 0.27 #402, but reverted in 0.28 #420, #421. So, versions 0.28-0.30 do not work.
Unfortunately, workaround from #420 doesn't work also.
Config map:

kind: ConfigMap
apiVersion: v1
metadata:
  name: local-path-config
  namespace: kube-system
data:
  ...
  helperPod.yaml: |-
    apiVersion: v1
    kind: Pod
    metadata:
      name: helper-pod
    spec:
      containers:
      - name: helper-pod
        image: rancher/mirrored-library-busybox:1.36.1
        imagePullPolicy: IfNotPresent
        securityContext:
          seLinuxOptions:
            level: s0-s0:c0.c1023
      securityContext:
        seLinuxOptions:
            level: s0-s0:c0.c1023

And actual Pod looks like helper-pod-delete-pvc-e272c076-4757-4201-85c3-133da223bd76.yaml.txt

As we can see, security contexts from config map are stripped out: there is no container's security context and Pod's context is empty.

Test Pod and PVC:

apiVersion: v1
kind: Pod
metadata:
  name: debug-pod-debian
  labels:
    app.kubernetes.io/name: lpp-test
spec:
  terminationGracePeriodSeconds: 5
  containers:
    - name: debian
      image: digitalocean/doks-debug
      command: ["sleep", "infinity"]
      volumeMounts:
        - mountPath: /data
          name: data
  volumes:
    - name: data
      persistentVolumeClaim:
        claimName: lpp-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: lpp-data
  labels:
    app.kubernetes.io/name: lpp-test
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 32Mi

Workaround was tested using Local path provisioner 0.30 on K3s 1.30.6.

[zc-devs]

Sorry, I didn't restart LPP Pod. Workaround works.