Workarounds to skip SELinux relabelling in Openshift Data Foundation / Openshift Container Storage

Solution Verified - Updated -

Issue

NOTE: Automatic SELinux skip recursive relabeling is a feature that will be native to ODF v4.21.

  • Openshift namespaces are by default, configured to have different Multi-Category Security (MCS ) SELinux settings. A simple way to review this security context is by inspecting a namespace yaml:

     oc get project mds-test -o yaml | grep scc.mcs
    openshift.io/sa.scc.mcs: s0:c25,c20
          f:openshift.io/sa.scc.mcs: {}

  • This SELinux context is inherited by all the pods running inside these namespaces. Because of this feature, all the files inside PVs bound to these pods need to be relabeled accordingly to ensure the SELinux context matches the security specs in the pods.

  • When the number of files in these PVs grows largely (thousands/millions of objects), the pods get stuck in ContainerCreating or init status.

Environment

Red Hat OpenShift Container Platform (OCP) 4.x
Red Hat OpenShift Container Storage (OCS) 4.x
Red Hat OpenShift Data Foundation (ODF) 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content