8 Essential Insights Into Kubernetes SELinux Volume Label Upgrades (v1.36 and Beyond)

If your Kubernetes cluster runs on Linux with SELinux in enforcing mode, you're about to experience a significant shift. Starting with v1.36, the SELinuxMount feature gate is moving toward general availability, and it's expected to become the default in v1.37. This change accelerates volume setup for most workloads but may break applications relying on the old recursive relabeling model—for instance, sharing a volume between privileged and unprivileged Pods on the same node. To help you prepare, we've compiled eight critical facts you need to know. This guide builds on earlier work from Kubernetes 1.27: Efficient SELinux Relabeling (Beta) and extends the approach to all volume types.

1. What SELinux Labels Do in Kubernetes

Security-Enhanced Linux (SELinux) uses labels attached to objects like files and network sockets to enforce access control. In Kubernetes, the container runtime historically applied these labels recursively to all files in a Pod's volumes. The Pod's SELinux label comes from spec.securityContext.seLinuxOptions, and the runtime then relabels every visible file—a process that can be painfully slow, especially on remote filesystems with many files. Without a specified label, Kubernetes assigns a random unique one to prevent cross-container data access if a process escapes its container boundary. This recursive relabeling is the core problem the new feature aims to solve.

2. The Performance Bottleneck of Recursive Relabeling

Recursive relabeling means the container runtime must traverse every inode on a volume and change its SELinux label. For read-heavy or large volumes, this introduces significant startup latency. Worse, it's unnecessary when the entire volume can be mounted with a single correct label. The old approach also limited flexibility: for instance, using subPath allowed two Pods with different labels to share a volume, but only if they accessed separate subdirectories. This inefficiency drove the Kubernetes community to seek a better solution—culminating in mount-time context labeling.

3. How Mount-Time Labeling Speeds Things Up

Where the underlying stack supports it, the kubelet can now mount a volume with the -o context=<label> option. This tells the kernel to apply the correct SELinux label to all inodes on that mount point without a recursive traversal. The result: near-instant volume setup, regardless of how many files exist. This path is gated by feature flags and requires that the Pod expose a stable SELinux label (e.g., seLinuxOptions.level) and that the volume driver opts in (for CSI, by setting CSIDriver.spec.seLinuxMount: true). It's a win for most workloads—but not all.

4. Phased Rollout: From ReadWriteOncePod to All Volumes

The project moved carefully. First, the SELinuxMountReadWriteOncePod feature gate targeted volumes with accessModes: ReadWriteOncePod—on by default since v1.28 and declared GA in v1.36. Next, broader coverage falls under the SELinuxMount flag, combined with the spec.securityContext.seLinuxChangePolicy field on Pods. This phased approach allowed the community to validate the mechanism on simpler, single-Pod volumes before expanding to multi-attach shared volumes. Understanding this progression helps you anticipate which of your workloads are affected.

5. Watch Out for Shared Volumes Between Privileged and Unprivileged Pods

One subtle breakage point: when two Pods on the same node share a volume and one runs privileged (no SELinux confinement) while the other is unprivileged (with a specific SELinux label). With the old recursive model, each Pod got its own label, and volumes were relabeled per-Pod. Under mount-time labeling, the entire mount gets one label. If a privileged Pod can't access files that were mounted with an unprivileged Pod's label, or vice versa, applications may fail. This scenario demands careful auditing—either ensure consistent labels across Pods or opt out of the new behavior.

6. Audit Your Cluster Now (v1.36 Is the Time)

Kubernetes v1.36 is the ideal release to review your cluster for SELinux impacts. Check which Pods use spec.securityContext.seLinuxOptions and which volumes are shared between Pods with different SELinux profiles. Use the seLinuxChangePolicy field to control behavior per Pod: set it to MountOption to opt in (the future default) or Recursive to opt out temporarily. For CSI drivers, ensure spec.seLinuxMount is set correctly. Also consider the PodSecurityContext.SELinuxChangePolicy as a cluster-wide default. The earlier you test, the smoother your transition to v1.37.

7. No Change If SELinux Is Disabled

If your nodes don't use SELinux—whether because it's unavailable or disabled in the Linux kernel—none of this affects you. The kubelet skips all SELinux logic entirely. That means you can ignore this entire article and continue as usual. However, if you're planning to enable SELinux in the future (e.g., for compliance), understanding these changes now will save you headaches later. The same goes for clusters using only privileged: true containers without any label constraints—those also skip SELinux handling.

8. What to Expect in Kubernetes v1.37

The anticipated v1.37 release will likely turn the SELinuxMount feature gate on by default, making mount-time labeling the standard for all volumes. This means any workload that depends on recursive relabeling—specifically for shared volumes between Pods with different SELinux contexts—could break. The Kubernetes community recommends that you test your workloads against v1.36 with the feature gate explicitly enabled. If issues arise, you can set seLinuxChangePolicy: Recursive to preserve the old behavior until you adapt your configuration. Stay informed by monitoring SIG-Node discussions and release notes.

In summary, the SELinuxMount improvement brings significant performance gains for the vast majority of workloads by eliminating costly recursive relabeling. Yet it introduces a compatibility trap for those who rely on the old model for shared volumes. The key takeaway: audit your cluster in v1.36, test with the new feature gate, and plan your transition before v1.37 becomes the new normal. For deeper details, revisit the original blog on Kubernetes 1.27: Efficient SELinux Relabeling (Beta).