6 Key Implications of Kubernetes SELinux Volume Labels Going GA in v1.37
By ⚡ min read
<p>If you run Kubernetes on Linux with SELinux in enforcing mode, a major change is coming. In the anticipated v1.37 release, the <strong>SELinuxMount</strong> feature gate will become enabled by default. This enhancement accelerates volume setup for most workloads by replacing the slow recursive relabeling with a kernel-level mount option. However, it can break applications that rely on the old behavior—for example, sharing a volume between privileged and unprivileged Pods on the same node. Kubernetes v1.36 is the ideal time to audit your cluster and prepare. If your nodes don't use SELinux, nothing changes for you. This article explains the six things you need to know to navigate this transition smoothly.</p>
<h2 id="item1">1. The Problem: Slow Recursive Relabeling</h2>
<p>On Linux systems with SELinux enabled, the kernel uses labels on files and sockets to enforce access control. Historically, the container runtime would recursively change the SELinux label on every file in a Pod's volumes. This is time-consuming, especially for volumes with many files or remote filesystems. If a Pod lacks an explicit SELinux label, the runtime assigns a random unique label and still relabels all files. This old method ensures security but at a significant performance cost.</p><figure style="margin:20px 0"><img src="https://picsum.photos/seed/2402023934/800/450" alt="6 Key Implications of Kubernetes SELinux Volume Labels Going GA in v1.37" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px"></figcaption></figure>
<h2 id="item2">2. The Solution: Mount-Time Labeling via <code>-o context</code></h2>
<p>Kubernetes is improving performance by using the kernel's <code>mount -o context=<label></code> option. Instead of recursively relabeling inodes, the kernel applies the correct label to all inodes on the mount point instantly. This requires the Pod to specify enough SELinux attributes (e.g., <code>spec.securityContext.seLinuxOptions.level</code>) and the volume driver to opt in. For CSI drivers, the <code>CSIDriver.spec.seLinuxMount: true</code> field enables this fast path. The result: nearly zero overhead for volume labeling.</p>
<h2 id="item3">3. Phased Rollout: From ReadWriteOncePod to All Volumes</h2>
<p>The feature shipped in two phases. First, the <strong>SELinuxMountReadWriteOncePod</strong> gate targeted ReadWriteOncePod volumes—it became beta in v1.28 and GA in v1.36. Now, the broader <strong>SELinuxMount</strong> gate covers all volume types, paired with the new <code>spec.securityContext.seLinuxChangePolicy</code> field on Pods. This field lets you control whether the kubelet uses mount-time labeling or falls back to recursive relabeling. In v1.37, the gate defaults to on, so you must explicitly opt out if needed.</p>
<h2 id="item4">4. Breakage Risk: SubPath and Shared Volumes</h2>
<p>The new behavior can break workloads that share a volume between Pods with different SELinux labels. Previously, as long as each Pod used a different <strong>subPath</strong>, the container runtime relabeled only that subpath. With mount-time labeling, the entire mount is labeled uniformly, preventing such sharing. Applications that rely on subPath for multi-label volumes must be redesigned. If you must retain the old behavior, set <code>seLinuxChangePolicy: Recursive</code> in the Pod spec before v1.37.</p>
<h2 id="item5">5. Opt-Out Options in v1.36 and v1.37</h2>
<p>To avoid surprises, you can opt out at multiple levels. In v1.36, disable the <strong>SELinuxMount</strong> feature gate using <code>--feature-gates=SELinuxMount=false</code> on the kubelet. Alternatively, per-Pod, set <code>spec.securityContext.seLinuxChangePolicy: Recursive</code> to force old-style relabeling. In v1.37, when the gate is on by default, the per-Pod option remains. Additionally, CSI drivers can set <code>spec.seLinuxMount: false</code> to indicate they don't support mount-time labeling. Kubernetes will then fall back automatically.</p>
<h2 id="item6">6. Audit Your Cluster Now: v1.36 Is the Safety Window</h2>
<p>v1.36 is the release to test and migrate. Audit all workloads that use SELinux labels and check for volume sharing patterns. Use the <code>seLinuxChangePolicy</code> field to gradually adopt the new behavior. Monitor kubelet logs for warnings about fallbacks. If your cluster doesn't use SELinux, you can ignore this entirely—the kubelet skips SELinux logic when the kernel lacks it. Otherwise, start planning before v1.37 hits your production environment.</p>
<h2 id="conclusion">Conclusion: Embrace Performance, Watch for Compatibility</h2>
<p>The move to mount-time SELinux labeling in Kubernetes v1.37 is a welcome performance improvement—no more slow recursive relabeling for most volumes. But it requires careful attention to workload compatibility, especially those sharing volumes via subPath. By auditing now and using the available opt-outs, you can ensure a smooth transition. The future of Kubernetes on SELinux is faster and more efficient, but only if you prepare.</p>