Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SELinux mount options #2228

Open
gbucknel opened this issue Nov 14, 2024 · 3 comments
Open

Add support for SELinux mount options #2228

gbucknel opened this issue Nov 14, 2024 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@gbucknel
Copy link

Is your feature request related to a problem? Please describe.
I'd like to run Jenkins on Bottlerocket. Jenkins uses an EBS volume and has millions of small files.
It runs as a stateful set. On Bottlerocket (which is selinux enabled ) when the pod moves to a new node it needs to relabel every single file and so the pod can stay down for half an hour while the relabelling runs.

This selinux relabelling feature out last year seems to address this :

https://kubernetes.io/blog/2023/04/18/kubernetes-1-27-efficient-selinux-relabeling-beta/

The crux of it is that node will mount the volume with the same set of configured selinux labels and will then not need to relabel anything, and no downtime will happen when moving to a new node.

From the blog post, 5 different conditions need to be met for this to work and the 5th is :

The volume plugin or the CSI driver responsible for the volume supports mounting with SELinux mount options.

I understand this isn't the case, given this closed issue -> #1544 . Am opening this issue to start the conversation again.

Describe the solution you'd like in detail
Please add selinux support to this driver.

Describe alternatives you've considered
I currently run Jenkins on Amazon Linux 2023 which has selinux disabled . Would be keen to get it to run on bottlerocket for uniformity (and the other advantages of bottlerocket).
@ConnorJC3
Copy link
Contributor

/type feature

Hi, thanks for this feature request. We haven't explicitly tested it, but as a manual workaround you likely could use the feature if you meet all the other requirements and manually add seLinuxMount: true to our CSIDriver object.

I'll keep this open as a feature request to officially test/support this - I can't provide a specific ETA at this time but the team will provide any updates on this issue.

@ConnorJC3 ConnorJC3 added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 14, 2024
@kenny-monster
Copy link

Hey @ConnorJC3. I'm one of @gbucknel's colleagues.

I had a go at your suggestion of updating the object (kubectl edit csidriver ebs.csi.aws.com) so that seLinuxMount: true is set. I then drained the Amazon Linux node the Jenkins instance was sitting on and made sure that it scheduled on a Bottlerocket node. The pod exhibited the slow startup times as we'd observed in the past when we determined it was an issue with SELinux relabelling.

@ConnorJC3
Copy link
Contributor

In that case, there are probably some changes we have to make for compatibility - it is on our backlog to test this feature and indentify/remediate any issues with selinux relabeling, but as I said above I don't have a firm ETA at this time, any updates will be posted here on the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ConnorJC3 @gbucknel @kenny-monster