STOR-2267: Run SELinux warning controller

[jsafrane]

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate), which is available under DevPreviewNoUpgrade since yesterday. It might reach TechPreviewNoUpgrade in 4.19 if everything goes smooth.

Upstream enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: manual testing

Tested manually with DevPreviewNoUpgrade cluster.

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2267 which is a valid jira issue.

In response to this:

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate).

Enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: for manual testing

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jsafrane
Once this PR has been reviewed and has the lgtm label, please assign atiratree for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@jsafrane: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/okd-scos-e2e-aws-ovn	9e24b2d	link	false	/test okd-scos-e2e-aws-ovn

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2267 which is a valid jira issue.

In response to this:

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate).

Enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: manual testing

tested manually with this FeatureGate CR with is heading into DevPreviewNoUpgrade here:

 customNoUpgrade:
   enabled:
   - SELinuxMount
   - SELinuxChangePolicy
 featureSet: CustomNoUpgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2267 which is a valid jira issue.

In response to this:

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate).

Enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: manual testing

tested manually with this FeatureGate CR, which is is heading into DevPreviewNoUpgrade here:

 customNoUpgrade:
   enabled:
   - SELinuxMount
   - SELinuxChangePolicy
 featureSet: CustomNoUpgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2267 which is a valid jira issue.

In response to this:

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate).

Enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: manual testing

tested manually with DevPreviewNoUpgrade cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2267 which is a valid jira issue.

In response to this:

selinux-warning-controller is an optional controller in KCM that emits metrics + events about SELinux usage of persistent volumes in the cluster.

Since most Kubernetes distros don't care about SELinux, this controller needs explicit opt-in on KCM cmdline.
OCP needs the controller:

• to explain to users why their pods may not be running.
• to collect metrics about such promebatic pods, to emit alerts and telemetry.

The controller is disabled by default in Kubernetes 1.32 (under SELinuxChangePolicy feature gate), which is available under DevPreviewNoUpgrade since yesterday. It might reach TechPreviewNoUpgrade in 4.19 if everything goes smooth.

Upstream enhancement: https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/1710-selinux-relabeling

WIP: manual testing

Tested manually with DevPreviewNoUpgrade cluster.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.