ci: Skip SELinux relabel on start

By default, CRI-O assigns a random SELinux category to every pod, and
then must adjust the label of every file and directory in the persistent
volume to match.  For very large volumes like a Buildroot output
directory, this can take quite some time.  Fortunately, if we assign a
static category, we can tell CRI-O to skip the relabel step.

Unfortunately, Jenkins does not merge the `securityContext` field of the
pod spec when the `yamlMergeStrategy` is set to `merge`.  For our custom
settings to apply, we have to leave the merge strategy at the default,
`override`.

ci/Jenkinsfile

@@ -11,7 +11,6 @@ pipeline {
     agent {
         kubernetes {
             yamlFile 'ci/podTemplate.yaml'
-            yamlMergeStrategy merge()
             workspaceVolume persistentVolumeClaimWorkspaceVolume(
                 claimName: 'buildroot-airplaypi'
             )

ci/podTemplate.yaml

@@ -1,3 +1,6 @@
+metadata:
+  annotations:
+    io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
 spec:
   containers:
   - name: build
@@ -13,6 +16,8 @@ spec:
       subPath: ssh_known_hosts
   securityContext:
     fsGroupChangePolicy: OnRootMismatch
+    seLinuxOptions:
+      level: s0:c596,c675
   volumes:
   - name: ssh-known-hosts
     configMap: