If you run Kubernetes on Linux with SELinux in enforcing mode, big changes are coming. The SELinuxMount feature gate is going GA, and it will be turned on by default in v1.37. This update makes volume setup faster, but it can also break workloads that depend on the old recursive relabeling model. Kubernetes v1.36 is the perfect time to audit your cluster and prepare. Here are 10 essential things you need to know to stay ahead.
1. The SELinuxMount Feature Gate Is Now GA
With Kubernetes v1.36, the SELinuxMount feature gate reaches General Availability. This means the new mounting approach is stable and recommended for production. In v1.37, it will be enabled by default, so if you haven't planned yet, now is the time to test and adjust your workloads.
2. Old Recursive Relabeling Is a Performance Bottleneck
Traditionally, the container runtime recursively changes SELinux labels on all files in a Pod's volumes. This is especially slow on remote filesystems like NFS or cloud volumes. The new approach avoids this by letting the kernel apply the label at mount time using the -o context=<label> option.
3. Faster Volume Setup with Mount-Time Labeling
The improvement comes from mounting volumes with the correct SELinux label from the start. The kubelet can now pass the -o context option to the filesystem, so the kernel applies the label to all inodes without scanning each file. This drastically reduces setup time for volumes with many files, especially on remote storage.
4. Phased Rollout: First ReadWriteOncePod, Then Everything Else
The project introduced this feature in two phases. First, the SELinuxMountReadWriteOncePod gate handled volumes with ReadWriteOncePod access mode—on by default from v1.28 and GA in v1.36. Now, the SELinuxMount gate extends the same logic to all volume types.
5. Breaking Changes for Shared Volumes
The new behavior can break applications that rely on the old recursive model. For example, if you share a single volume between a privileged Pod and an unprivileged Pod on the same node, the recursive relabeling used to allow different labels per subpath. With mount-time labeling, the entire volume gets a single label, potentially causing access conflicts. Audit such configurations in v1.36.
6. The Kubernetes v1.36 Window for Auditing and Opting Out
v1.36 is your opportunity to test the new gate and fix any issues. You can still opt out by disabling the SELinuxMount feature gate if needed. After v1.37, it will be on by default and more difficult to change. Use this release to ensure your workloads are compatible.
7. No Changes If SELinux Is Disabled
If your nodes don't use SELinux, this change doesn't affect you. The kubelet automatically skips all SELinux logic when SELinux is unavailable or disabled in the Linux kernel. You can safely ignore this article and continue without any adjustments.
8. Random SELinux Labels and Container Isolation
If a Pod doesn't specify an SELinux label in its security context, the container runtime assigns a unique random label. This prevents an escaped process from accessing other containers' data. In the old model, the runtime still recursively relabeled all volumes with this random label. The new mount-time approach avoids this recursive step, but the isolation remains intact.
9. SubPath Volumes Still Support Different Labels
The old recursive model allowed two Pods with different SELinux labels to share the same volume by using different subpaths. This works because only the subPath is relabeled, not the entire volume. The new mount-time approach does not change that behavior—subPath volumes are still relabeled individually. So this use case remains safe.
10. Requirements for the New Mount-Time Labeling
To take advantage of the faster mounting, the Pod must expose enough SELinux label information (e.g., spec.securityContext.seLinuxOptions.level). Additionally, the volume driver must opt in: for CSI drivers, set spec.seLinuxMount: true in the CSIDriver object. Without these, the kubelet falls back to traditional recursive relabeling.
In conclusion, the SELinuxMount GA marks a major performance improvement for Kubernetes clusters with SELinux. But it requires careful planning to avoid breaking existing workloads. Use v1.36 to audit your cluster, test your applications, and decide if you need to opt out temporarily. With the right preparation, you can smoothly transition to the faster, more efficient mount-time labeling in v1.37 and beyond.