If you run Kubernetes on Linux with SELinux enabled in enforcing mode, a significant change is coming. Starting with Kubernetes v1.37, the SELinuxMount feature gate is expected to be enabled by default, speeding up volume setup for most workloads but potentially breaking applications that rely on the old recursive relabeling model. This listicle highlights the essential details you need to understand and act on—especially if you’re still on v1.36, which is the perfect release to audit your cluster. For nodes without SELinux, nothing changes, so feel free to skip this if that’s you.

1. The Default Activation of SELinuxMount in v1.37

In Kubernetes v1.37, the SELinuxMount feature gate will be turned on by default. This means that the kubelet will use the -o context=<label> mount option to apply SELinux labels to all volumes at mount time, rather than recursively relabeling every file inside the volume. This change improves performance significantly for workloads with many files, especially on remote filesystems. However, if your applications depend on the older behavior—like sharing a single volume between privileged and unprivileged Pods on the same node—they might break. Plan to test your workloads on v1.36 before upgrading.

2. The Problem with Recursive Relabeling

Before this change, the container runtime handled SELinux labels by recursively traversing every file in a Pod’s volumes and updating their labels. This process is slow for large volumes and can cause delays in Pod startup. Moreover, if a Pod doesn’t specify an SELinux label in its security context, the runtime assigns a random unique label to ensure isolation, but still performs the full recursion. The new approach avoids this traversal by leveraging the kernel’s mount-time labeling, which is both faster and more efficient.

3. How the New Mount-Time Labeling Works

When SELinuxMount is active, the kubelet mounts the volume with the -o context=<label> option, so the kernel applies the correct SELinux label to all inodes on that mount point instantly. This eliminates the need for the container runtime to recursively relabel files. However, this method requires that the Pod exposes a sufficient SELinux label (e.g., spec.securityContext.seLinuxOptions.level) and that the volume driver opts in. For CSI drivers, the CSIDriver field spec.seLinuxMount: true must be set.

4. Gradual Rollout: From ReadWriteOncePod to All Volumes

The Kubernetes project introduced this improvement in phases. First, the SELinuxMountReadWriteOncePod feature gate covered only ReadWriteOncePod volumes, becoming GA in v1.36. Now, the broader SELinuxMount gate extends the same approach to all volume types. Additionally, the spec.securityContext.seLinuxChangePolicy field on Pods allows administrators to control the behavior. This phased approach gave the community time to test and adapt before the default activation in v1.37.

5. Potential Pitfalls and How to Avoid Them

The biggest risk is for workloads that share a single volume between Pods with different SELinux labels—for example, a privileged container and an unprivileged container using the same PersistentVolumeClaim. With the old recursive model, subPath mounts allowed such sharing. The new mount-time labeling applies a single label to the entire mount, breaking that pattern. To opt out, you can set --feature-gates=SELinuxMount=false on the kubelet during v1.36/v1.37, or use seLinuxChangePolicy: MountRecursive on the Pod. Use v1.36 to audit your cluster and fix any issues.

6. No Impact If You Don’t Use SELinux

If your nodes do not have SELinux enabled (or if it’s disabled in the kernel), the kubelet skips all SELinux-related logic entirely. This means the SELinuxMount feature has no effect on your cluster. You can ignore the changes described here. However, if you plan to enable SELinux in the future, be aware that the new behavior will be the default by v1.37. It’s a good idea to stay informed even if you’re not affected today.

Conclusion: The SELinux volume label changes in Kubernetes 1.37 bring significant performance improvements but require careful planning. Audit your cluster on v1.36, test workloads that share volumes between Pods with different SELinux labels, and be ready to opt out if necessary. For most users, the transition will be smooth, but understanding the nuances ensures a successful upgrade.