How to apply SELinux relabeling workaround automatically on workloads running on OpenShift Container Platform 4?

Environment

• OpenShift Container Platform 4.10 and above
• Red Hat Advanced Cluster Manager for Kubernetes 2.6 and above

Issue

• How to apply SELinux relabeling workaround automatically on workloads running on OpenShift Container Platform 4?
• How to apply Skip SELinux Relabeling if already done with an annotation documented in solution 6221251 automatically on a namespace in OpenShift container Platform 4?
• How to apply Skip SELinux relabeling workaround with spc_t documented in solution 6221251 automatically on workloads running on OpenShift Container Platform 4?

Resolution

As documented in solution 6221251, there are two workarounds to skip SELinux relabeling:

1. Skip SELinux Relabeling with spc_t
2. Skip SELinux Relabeling if already done with an annotation

An automated solution using the Cluster Resource Override Operator (CRO) is also documented under section Automatic SELinux File Content Relabeling (OCP Version 4.13+) for applying the first workaround mentioned above. The advantage of this method is that it will apply the SELinux relabeling workaround only if a pod has a PVC. The CRO operator requires any affected pods to have the label forceselinuxrelabel.admission.node.openshift.io/enabled: "true", so that the SELinux relabeling workaround can be applied automatically.

The following solutions explore alternative ways to use Red Hat Advanced cluster Manager for Kubernetes to automatically configure pods to skip SELinux relabeling. Refer the appropriate article based on the chosen workaround.

1. Skip SELinux Relabeling with spc_t
2. Skip SELinux Relabeling if already done with an annotation

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.