Report error on a pod startup on SELinux mismatch

When a volume is already mounted with an unexpected SELinux label,
kubelet must unmount it first and then mount it back with the expected one.
Report an error to user, just in case the unmount takes too long.

In therory, this error should not happen too often, because two Pods with
different SELinux label will not enter Desired State of World, see
dsw.AddPodToVolume. It can happen when DSW and ASW SELinux labels only when
a volume has been deleted from DSW (= Pod was deleted) or a volume was
reconstructed after kubelet restart. In both cases, volume manager should
unmount the volume quickly.

pkg/kubelet/volumemanager/cache/actual_state_of_world.go

@@ -1185,7 +1185,7 @@ type seLinuxMountMismatchError struct {
 
 func (err seLinuxMountMismatchError) Error() string {
 	return fmt.Sprintf(
-		"volumeName %q is already mounted to a different pod with a different SELinux label",
+		"waiting for unmount of volume %q, because it is already mounted to a different pod with a different SELinux label",
 		err.volumeName)
 }
 

pkg/kubelet/volumemanager/reconciler/reconciler.go

@@ -223,6 +223,7 @@ func (rc *reconciler) mountOrAttachVolumes() {
 			// The volume is mounted, but with an unexpected SELinux context.
 			// It will get unmounted in unmountVolumes / unmountDetachDevices and
 			// then removed from actualStateOfWorld.
+			rc.desiredStateOfWorld.AddErrorToPod(volumeToMount.PodName, err.Error())
 			continue
 		} else if cache.IsVolumeNotAttachedError(err) {
 			rc.waitForVolumeAttach(volumeToMount)