WIP: 1710: Add SELinuxChangePolicy to PodSpec

[jsafrane]

We found out that we need an explicit opt-out for mounting all volumes with -o context - all pods sharing the same volume must have the same label + must be all unprivileged (or all privileged).

There are many changes in the KEP because of that. It feels like a new KEP.

• New API field: PodSecurityContext.SELinuxChangePolicy with values Recursive and MountOption. MountOption is the default one!
• Since the KEP changes the default behavior, there are more details how to upgrade a cluster safely. Short summary
  1. A new feature gate SELinuxChangePolicy gets enabled in Kubernetes 1.N.
     • This enables the new field SELinuxChangePolicy.
     • SELinuxMount feature gate is still disabled.
     • Cluster admin can (easily?) list what Pods would break when SELinuxMount gets enabled in the next Kubernetes release and fix them (either don't mix privileged and unprivileged pods or set their SELinuxChangePolicy: Recursive).
     • A kubernetes distro may choose to alert / block upgrades to a version that has SELinuxMount enabled until the cluster admin fixes all problematic Pods.
  2. In the next Kubernetes upgrade, SELinuxMount gets enabled by default, but it does not break anything, because all problematic Pods were fixed before the upgrade.

WIP:

• check PRR questionnaire + see what needs to be changed there
• kube-state-metrics may need more thoughts, especially with all weird rules and feature gates around SELinux mount.

• Issue link: Speed up recursive SELinux label change #1710

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jsafrane

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/sig-storage/OWNERS [jsafrane]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gnufied]

IMO, this table can be removed and merged with "Volume Mounting" section.

[jsafrane]

I;m not sure, "Volume Mounting" describes general mount capabilities. This example shows how we're going to use these capabilities in kubelet.

[gnufied]

Also - for this option to work, Pod must have an explicit SELinux context specified, otherwise it will again default to recursive.

IMO - this default though makes sense, there isn't one single word that is going to capture all the necessary information.

---

I was thinking - how about we keep existing default and introduce a boolean field in securityContext. So something like:

securityContext.useSELInuxMountOption: true|false

So we keep existing behaviour for ReadWriteOncePod and other situations (if field is nil) but use this field if explicitly set to true. If this is explicitly set to false, then I guess we will have to use recursive chcon even for RWOP volumes. But that doesn't seem so bad.

[jsafrane]

We should have all allowed options as explicit values in the API. nil should mean either true or false, not something in between.

I'll add the wording about SELinux label in Pod.

[jsafrane]

Added a very short sentence about SELinuxLabel in PodSecurityContext / SecurityContext.

[jsafrane]

I split it into some small commits, but there is still a huge one with the API change. And I tried to capture what was already done and how we want to move forward.

[gnufied]

Another option I was thinking is - UseMountOptionsSafely, it is perhaps as much big as current choice, but again this name is going to be just picking "okay" option among worst. :(