From 686da2476247a6dbe506c3cf8387518776a2b95d Mon Sep 17 00:00:00 2001
From: bdchatham <bdchatham@gmail.com>
Date: Thu, 7 May 2026 11:27:00 -0700
Subject: [PATCH 1/2] feat(noderesource): set SELinuxChangePolicy=MountOption
 on SeiNode pods
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tells kubelet/CSI to apply the pod's SELinux context as a per-mount
overlay (one mount syscall option) instead of the default behavior
of recursively rewriting xattrs on every file in the data PVC.

Concrete impact for archive nodes (40 TiB xfs, 8.2M files):
  - Before: every pod creation triggers a full setxattr walk →
    ~20 minutes of CreateContainer hang while runc relabels each
    file to match the pod's randomized MCS pair.
  - After:  the kernel applies the context at mount time, regardless
    of filesystem size → milliseconds. Subsequent pod recreations
    (different MCS) just remount with a different context= option,
    same instant cost.

Mechanism: SELinux mount option `context=<label>` makes every file
under a mount appear to have that label to the kernel's SELinux
subsystem, regardless of on-disk xattrs. No per-file work, no disk
writes — a per-mount-instance overlay.

Requires K8s 1.33+ (SELinuxMount feature GA) and a CSI driver that
supports the SELinuxMount capability; EBS CSI v1.30+ does. Cluster
runs 1.34, EBS CSI is current — both prerequisites met.

Validated on pacific-1-archive-0 in prod: same 40 TiB volume
consistently triggered the 20-minute relabel walk on every pod
recreation. With this change, future recreations skip that path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 internal/noderesource/noderesource.go      |  8 ++++++++
 internal/noderesource/noderesource_test.go | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/internal/noderesource/noderesource.go b/internal/noderesource/noderesource.go
index 26501ae..b4d2bf4 100644
--- a/internal/noderesource/noderesource.go
+++ b/internal/noderesource/noderesource.go
@@ -273,6 +273,14 @@ func buildNodePodSpec(node *seiv1alpha1.SeiNode, p PlatformConfig) corev1.PodSpe
 			},
 		},
 		Volumes: volumes,
+		SecurityContext: &corev1.PodSecurityContext{
+			// Apply SELinux labels via mount option (constant time) instead of
+			// the default recursive xattr walk, which takes ~20 minutes on the
+			// 40 TiB archive PVC and stalls every pod recreation. Requires K8s
+			// 1.33+ (SELinuxMount GA) and a CSI driver that supports it; EBS
+			// CSI v1.30+ does.
+			SELinuxChangePolicy: ptr.To(corev1.SELinuxChangePolicyMountOption),
+		},
 	}
 
 	spec.ShareProcessNamespace = ptr.To(true)
diff --git a/internal/noderesource/noderesource_test.go b/internal/noderesource/noderesource_test.go
index bb8b51e..fc3ee91 100644
--- a/internal/noderesource/noderesource_test.go
+++ b/internal/noderesource/noderesource_test.go
@@ -188,6 +188,21 @@ func TestBuildNodePodSpec_SharedPIDNamespace(t *testing.T) {
 	g.Expect(*sts.Spec.Template.Spec.ShareProcessNamespace).To(BeTrue())
 }
 
+// SELinuxChangePolicy=MountOption avoids the per-pod-recreation recursive
+// xattr walk over the data PVC. On a multi-TB archive PVC, that walk takes
+// ~20 minutes; with MountOption the kernel applies the SELinux context as
+// a per-mount overlay in milliseconds.
+func TestBuildNodePodSpec_SELinuxChangePolicyMountOption(t *testing.T) {
+	g := NewWithT(t)
+	node := newSnapshotNode("snap-0", "default")
+
+	spec := buildNodePodSpec(node, platformtest.Config())
+
+	g.Expect(spec.SecurityContext).NotTo(BeNil())
+	g.Expect(spec.SecurityContext.SELinuxChangePolicy).NotTo(BeNil())
+	g.Expect(*spec.SecurityContext.SELinuxChangePolicy).To(Equal(corev1.SELinuxChangePolicyMountOption))
+}
+
 // --- PVC ---
 
 func TestNodeDataPVCClaimName_Genesis(t *testing.T) {

From 4ca20fd6e7972c9ffcabc7bf53d04e335b5dbae0 Mon Sep 17 00:00:00 2001
From: bdchatham <bdchatham@gmail.com>
Date: Thu, 7 May 2026 11:28:04 -0700
Subject: [PATCH 2/2] review: shorten SELinux comment

---
 internal/noderesource/noderesource.go | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/internal/noderesource/noderesource.go b/internal/noderesource/noderesource.go
index b4d2bf4..ca500f9 100644
--- a/internal/noderesource/noderesource.go
+++ b/internal/noderesource/noderesource.go
@@ -274,11 +274,7 @@ func buildNodePodSpec(node *seiv1alpha1.SeiNode, p PlatformConfig) corev1.PodSpe
 		},
 		Volumes: volumes,
 		SecurityContext: &corev1.PodSecurityContext{
-			// Apply SELinux labels via mount option (constant time) instead of
-			// the default recursive xattr walk, which takes ~20 minutes on the
-			// 40 TiB archive PVC and stalls every pod recreation. Requires K8s
-			// 1.33+ (SELinuxMount GA) and a CSI driver that supports it; EBS
-			// CSI v1.30+ does.
+			// Avoids recursive setxattr walk on the data PVC at pod start.
 			SELinuxChangePolicy: ptr.To(corev1.SELinuxChangePolicyMountOption),
 		},
 	}