Kubernetes SELinux Mount Optimization: What v1.36 Means for Your Cluster

By • min read

<p>Starting with Kubernetes v1.36, the <strong>SELinuxMount</strong> feature gate reaches General Availability, marking a significant shift in how SELinux labels are applied to volumes. This change dramatically speeds up volume mounting by avoiding recursive relabeling, but it can disrupt workloads that rely on the old behavior—especially those sharing volumes between privileged and unprivileged Pods. In v1.37, this feature is expected to become enabled by default, so now is the time to audit your cluster. This article answers common questions about the update, its implications, and what steps you should take.</p> <h2 id="q1">1. What is the major SELinux change in Kubernetes v1.36?</h2> <p>Kubernetes v1.36 graduates the <strong>SELinuxMount</strong> feature gate to General Availability (GA). This feature allows the kubelet to mount volumes with a kernel <code>-o context=&lt;label&gt;</code> option, so the SELinux label is applied at the mount level rather than by recursively walking every file. For workloads that use <strong>ReadWriteOncePod</strong> volumes, this optimization was already available under a separate gate (<code>SELinuxMountReadWriteOncePod</code>) since v1.28. Now, the same efficient approach extends to all volume types. The feature is currently opt-in via the <code>SELinuxMount</code> flag and the <code>spec.securityContext.seLinuxChangePolicy</code> field on Pods. However, v1.37 is expected to turn it on by default, so clusters still relying on recursive relabeling need to adapt.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/3545533730/800/450" alt="Kubernetes SELinux Mount Optimization: What v1.36 Means for Your Cluster" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure> <h2 id="q2">2. Why was recursive relabeling a problem for Kubernetes workloads?</h2> <p>Traditionally, SELinux labels in Kubernetes have been applied by the container runtime, which recursively changes the label on every file inside a volume. This process can be <strong>extremely slow</strong>, especially for volumes with many files or those stored on remote filesystems like NFS. The delay compounds during Pod startup and can lead to failed or delayed scheduling. Additionally, recursive relabeling made it difficult to share a single volume between Pods with different SELinux labels—only <code>subPath</code> mounts were viable. The old mechanism also assigned <strong>random unique labels</strong> to Pods that didn't specify one, further increasing overhead without always improving security. Overall, recursive relabeling was a bottleneck for performance and scalability in SELinux-enabled environments.</p> <h2 id="q3">3. How does the new SELinuxMount feature improve volume setup performance?</h2> <p>Instead of performing a recursive inode traversal, the kubelet now passes the desired SELinux label directly to the kernel through the mount <code>context</code> option. This tells the filesystem to <strong>automatically apply the label</strong> to every inode under that mount point without touching existing files. The result is near-instantaneous volume setup, regardless of how many files the volume contains. The improvement is particularly noticeable for large volumes or those on remote filesystems where recursive chcon commands would have caused network round-trips for each file. By removing the relabeling bottleneck, Pods start faster, and the overall cluster responsiveness improves—especially when many Pods share a node.</p> <h2 id="q4">4. What are the prerequisites for a volume to use the new SELinux mount context approach?</h2> <p>To take advantage of mount-level SELinux labeling, several conditions must be met:</p> <ul> <li>The <strong>kubelet</strong> must have the <code>SELinuxMount</code> feature gate enabled (or be running v1.37+ where it is default).</li> <li>The Pod must specify a <strong>full SELinux label</strong> in its <code>securityContext.seLinuxOptions</code>, especially the <code>level</code> field.</li> <li>The <strong>volume driver</strong> must opt in. For CSI drivers, the <code>CSIDriver</code> object must have <code>spec.seLinuxMount: true</code>. In-tree volume plugins that support this feature also need to advertise support.</li> <li>The underlying <strong>filesystem</strong> must support per-mount context (most local filesystems do, but some network filesystems may not).</li> </ul> <p>If any of these are missing, the kubelet falls back to the old recursive relabeling method.</p> <h2 id="q5">5. What are the potential breaking changes in v1.37 when SELinuxMount becomes default?</h2> <p>When <code>SELinuxMount</code> is forced on in v1.37, workloads that previously relied on <strong>recursive relabeling</strong> to share a volume between Pods with different SELinux labels may break. For example, if a privileged Pod and an unprivileged Pod mount the same volume (not using <code>subPath</code>), the new mount-level labeling can only apply one label per mount—so both containers would see the same security context, which may be incompatible with their access needs. Additionally, if a Pod does not specify an explicit SELinux label, the kubelet cannot assign a random label at mount time, so the volume will fail to mount or receive a default label that may not be secure. Applications that depend on dynamic label assignment or fine-grained per-file labeling will need to be re-architected.</p> <h2 id="q6">6. How can cluster administrators prepare for this change in v1.36?</h2> <p>Kubernetes v1.36 is the <strong>ideal release</strong> to audit your cluster and make adjustments before v1.37 enforces the new behavior. Administrators should:</p> <ol> <li><strong>Identify workloads</strong> that use SELinux and verify whether they specify explicit labels in their Pod specs.</li> <li><strong>Check volume sharing patterns</strong>—look for volumes mounted by multiple Pods with differing SELinux contexts. If sharing is required, consider using <code>subPath</code> or separate volumes.</li> <li><strong>Enable the feature gate</strong> manually on a test cluster and run validation to catch regressions.</li> <li><strong>Update CSI drivers</strong> and in-tree plugins to advertise <code>seLinuxMount</code> support.</li> <li>If necessary, <strong>opt out</strong> temporarily by disabling the gate in kubelet flags (<code>--feature-gates=SELinuxMount=false</code>) but be aware this is only a stopgap.</li> </ol> <p>By taking these steps now, you can ensure a smooth transition when the feature becomes the default.</p> <h2 id="q7">7. Which workloads are unaffected by this SELinux update?</h2> <p>Workloads that <strong>do not use SELinux</strong> at all are completely unaffected. If your nodes run without SELinux (disabled in the kernel or in permissive mode), the kubelet skips the entire SELinux logic and both old and new code paths are bypassed. Additionally, Pods that mount volumes exclusively via <code>subPath</code> and already specify a full SELinux label will see no behavioral change—they were already compatible with mount-level context. Finally, clusters running on non-Linux operating systems or Linux distributions without SELinux support are also out of scope. For everyone else, the update either brings a performance improvement (for single-label volumes) or requires a careful review to avoid breakage.</p>