Document SELinuxChangePolicy and SELinuxMount #48515
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Hello @jsafrane 👋 please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before Tuesday November 19th 2024 18:00 PST. Thank you! |
|
Hi @jsafrane , just a friendly reminder to get you PR ready for review before Tuesday November 19th, thanks! |
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
jsafrane
force-pushed
the
selinux-1.32
branch
from
97552e4 to
8ae69fe
Compare
k8s-ci-robot
added
language/en
jsafrane
force-pushed
the
selinux-1.32
branch
from
8ae69fe to
9e71cb0
Compare
content/en/docs/reference/command-line-tools-reference/feature-gates/selinux-mount.md
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/security-context.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/security-context.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/security-context.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/security-context.md
Outdated
Show resolved
Hide resolved
jsafrane
force-pushed
the
selinux-1.32
branch
from
9e71cb0 to
2c4e08e
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: e8b8f36bada753bfb64ddbc0d805d4b2ba39e18e
|
|
Hi @nate-double-u, Thank you so much! |
xing-yang
left a comment
xing-yang
left a comment
There was a problem hiding this comment.
Some nits. Otherwise it looks good to me.
| with different SELinux labels: | ||
| 1. It emits an event to both of the Pods. `kubectl describe pod <pod-name>` the shows | ||
| `SELinuxLabel "<label on the pod>" conflicts with pod <the other pod name> that uses the same volume as this pod | ||
| with SELinuxLabel "<the other pod label>". If both pods land on the same node, only one of them may access the volume`. |
There was a problem hiding this comment.
So that is the text from the event copied verbatim and there is indeed a trailing ``` to close the markdown inline section.
|
|
||
| When enabled, the controller observes running Pods and when it detects that two Pods use the same volume | ||
| with different SELinux labels: | ||
| 1. It emits an event to both of the Pods. `kubectl describe pod <pod-name>` the shows |
There was a problem hiding this comment.
nit: "the shows" -> "that shows"
|
/assign @gnufied |
|
/lgtm |
|
Tech LGTM and Docs LGTM are in place above /approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: chanieljdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
7 participants
Description
This is documentation of SELinuxMount and SELinuxChangePolicy features for 1.32.
KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling
It is a complex feature. There are three feature gates + a new controller that affect SELinux + possible breaking change. I tried to put everything into "Assign SELinux labels to a Container" chapter.
It will get much simpler when all feature gates graduate to GA.
In the future Kubernetes releases, the feature gates will be get enabled in the sequence describe in the kep, requiring cluster admins to check their cluster before upgrades and opt-out when necessary. I think that will need to be documented in the release when the features are enabled by default and not now.