From 260912490e022ad95413b566d4264deaac5c838e Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Fri, 29 Jul 2022 10:48:59 +0200
Subject: [PATCH] Add a coment about handling same volumes with different
 contexts

---
 .../volumemanager/cache/desired_state_of_world.go   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
index b8aad587047..31e9d621253 100644
--- a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
+++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
@@ -485,6 +485,19 @@ func (dsw *desiredStateOfWorld) VolumeExists(
 		return false
 	}
 	if feature.DefaultFeatureGate.Enabled(features.SELinuxMountReadWriteOncePod) {
+		// Handling two volumes with the same name and different SELinux context
+		// as two *different* volumes here. Because if a volume is mounted with
+		// an old SELinux context, it must be unmounted first and then mounted again
+		// with the new context.
+		//
+		// This will happen when a pod A with context alpha_t runs and is being
+		// terminated by kubelet and its volumes are being torn down, while a
+		// pod B with context beta_t is already scheduled on the same node,
+		// using the same volumes
+		// The volumes from Pod A must be fully unmounted (incl. UnmountDevice)
+		// and mounted with new SELinux mount options for pod B.
+		// Without SELinux, kubelet can (and often does) reuse device mounted
+		// for A.
 		return vol.seLinuxFileLabel == seLinuxMountContext
 	}
 	return true