Author: Jan Šafránek (Red Hat)
The problem
On Linux with Security-Enhanced Linux (SELinux) enabled, it's
traditionally the container runtime that applies SELinux labels to
a Pod and all its volumes.Kubernetes only passes the SELinux label
from a Pod's securityContext
fields to the container
runtime.
The container runtime then recursively changes SELinux label on all files that are visible to the Pod's containers.This can be time-consuming if there are many files on the volume, especially when the volume is on a remote filesystem.