Add support for SELinux mount options

[gbucknel]

Is your feature request related to a problem? Please describe.
I'd like to run Jenkins on Bottlerocket. Jenkins uses an EBS volume and has millions of small files.
It runs as a stateful set. On Bottlerocket (which is selinux enabled ) when the pod moves to a new node it needs to relabel every single file and so the pod can stay down for half an hour while the relabelling runs.

This selinux relabelling feature out last year seems to address this :

https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/

The crux of it is that node will mount the volume with the same set of configured selinux labels and will then not need to relabel anything, and no downtime will happen when moving to a new node.

From the blog post, 5 different conditions need to be met for this to work and the 5th is :

The volume plugin or the CSI driver responsible for the volume supports mounting with SELinux mount options.

I understand this isn't the case, given this closed issue -> #1544 . Am opening this issue to start the conversation again.

Describe the solution you'd like in detail
Please add selinux support to this driver.

Describe alternatives you've considered
I currently run Jenkins on Amazon Linux 2023 which has selinux disabled . Would be keen to get it to run on bottlerocket for uniformity (and the other advantages of bottlerocket).

[ConnorJC3]

/type feature

Hi, thanks for this feature request. We haven't explicitly tested it, but as a manual workaround you likely could use the feature if you meet all the other requirements and manually add seLinuxMount: true to our CSIDriver object.

I'll keep this open as a feature request to officially test/support this - I can't provide a specific ETA at this time but the team will provide any updates on this issue.

[kenny-qin]

Hey @ConnorJC3. I'm one of @gbucknel's colleagues.

I had a go at your suggestion of updating the object (kubectl edit csidriver ebs.csi.aws.com) so that seLinuxMount: true is set. I then drained the Amazon Linux node the Jenkins instance was sitting on and made sure that it scheduled on a Bottlerocket node. The pod exhibited the slow startup times as we'd observed in the past when we determined it was an issue with SELinux relabelling.

[ConnorJC3]

In that case, there are probably some changes we have to make for compatibility - it is on our backlog to test this feature and indentify/remediate any issues with selinux relabeling, but as I said above I don't have a firm ETA at this time, any updates will be posted here on the issue.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale