jenkins: Avoid SELinux relabel of data dir

Setting a static SELinux level for the container allows CRI-O to skip relabeling all the files in the persistent volume each time the container starts. For this to work, the pod needs a special annotation, and CRI-O itself has to be configured to respect it: ```toml [crio.runtime.runtimes.runc] allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"] ``` This *dramatically* improves the start time of the Jenkins container. Instead of taking 5+ minutes, it now starts instantly. https://github.com/cri-o/cri-o/issues/6185#issuecomment-1334719982
2022-12-01 21:35:02 -06:00 · 2022-12-01 21:35:02 -06:00 · b8ccbd0b09
parent 2c794a9399
commit b8ccbd0b09
1 changed files with 5 additions and 0 deletions
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@ -108,6 +108,8 @@ spec:
      app.kubernetes.io/instance: jenkins
  template:
    metadata:
+      annotations:
+        io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
      labels:
        app.kubernetes.io/name: jenkins
        app.kubernetes.io/component: master
@ -122,6 +124,9 @@ spec:
          containerPort: 8080
        - name: jnlp
          containerPort: 40414
+        securityContext:
+          seLinuxOptions:
+            level: s0:c525,c600
        volumeMounts:
        - name: jenkins-data
          mountPath: /var/jenkins_home