From 8a400124f95c2afd481d910e2c4588049af26886 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Tue, 8 Oct 2024 13:22:47 +0200
Subject: [PATCH] Use SELinuxChangePolicy

---
 .../cache/desired_state_of_world.go           | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
index 2262a6bf338..6cdf6ba641e 100644
--- a/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
+++ b/pkg/kubelet/volumemanager/cache/desired_state_of_world.go
@@ -301,7 +301,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 		volumeName = util.GetUniqueVolumeNameFromSpecWithPod(podName, volumePlugin, volumeSpec)
 	}
 
-	seLinuxFileLabel, pluginSupportsSELinuxContextMount, err := dsw.getSELinuxLabel(volumeSpec, seLinuxContainerContexts)
+	seLinuxFileLabel, pluginSupportsSELinuxContextMount, err := dsw.getSELinuxLabel(volumeSpec, seLinuxContainerContexts, pod.Spec.SecurityContext)
 	if err != nil {
 		return "", err
 	}
@@ -392,7 +392,7 @@ func (dsw *desiredStateOfWorld) AddPodToVolume(
 	return volumeName, nil
 }
 
-func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions) (string, bool, error) {
+func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinuxContainerContexts []*v1.SELinuxOptions, podSecurityContext *v1.PodSecurityContext) (string, bool, error) {
 	var seLinuxFileLabel string
 	var pluginSupportsSELinuxContextMount bool
 
@@ -407,6 +407,20 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
 		if err != nil {
 			return "", false, err
 		}
+
+		if feature.DefaultFeatureGate.Enabled(features.SELinuxChangePolicy) &&
+			podSecurityContext != nil &&
+			podSecurityContext.SELinuxChangePolicy != nil &&
+			*podSecurityContext.SELinuxChangePolicy == v1.SELinuxChangePolicyRecursive {
+			// The pod has opted into recursive SELinux label changes. Do not mount with -o context.
+			return "", pluginSupportsSELinuxContextMount, nil
+		}
+
+		// Ignoring SELinuxMount feature gate:
+		// It allows value "SELinuxChangePolicy: MountOption" in the API server to be set.
+		// If the feature gate + field value is set in the API server, but the feature gate is disabled here in kubelet,
+		// kubelet would default to "", which means "MountOption" anyway.
+
 		seLinuxSupported := util.VolumeSupportsSELinuxMount(volumeSpec)
 		if pluginSupportsSELinuxContextMount {
 			// Ensure that a volume that can be mounted with "-o context=XYZ" is
@@ -414,7 +428,7 @@ func (dsw *desiredStateOfWorld) getSELinuxLabel(volumeSpec *volume.Spec, seLinux
 			for _, containerContext := range seLinuxContainerContexts {
 				newLabel, err := dsw.seLinuxTranslator.SELinuxOptionsToFileLabel(containerContext)
 				if err != nil {
-					fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %s", containerContext, err)
+					fullErr := fmt.Errorf("failed to construct SELinux label from context %q: %w", containerContext, err)
 					accessMode := getVolumeAccessMode(volumeSpec)
 					err := handleSELinuxMetricError(
 						fullErr,