1. Proposed title of this feature request

Supported Configuration for Image-Registry SELinux Relabeling Skip and RuntimeClass

2. What is the nature and description of the request?

This RFE proposes the introduction of supported configuration options within the config.imageregistry/cluster object to address CreateContainerError states in the image-registry pod caused by SELinux relabeling failures on PVCs with high file counts.

Currently, when the image-registry pod uses a PVC with a large number of files, SELinux relabeling can fail, leading to the pod entering a CreateContainerError state. While workarounds exist for customer application workloads, the image-registry, being managed by the OpenShift Container Platform (OCP) image-registry operator, overrides any direct modifications to its deployment.

The only known solution for the image-registry today involves using the unsupportedConfigOverrides section of config.imageregistry/cluster to add the io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: "true" annotation and potentially a runtimeClassName: selinux to the image-registry deployment. This approach is explicitly unsupported by Red Hat and carries the risk of blocking cluster upgrades, making customers hesitant and underconfident in its application.[1]

This RFE aims to provide a supported mechanism to enable the necessary annotations and runtime class for the image-registry deployment, thereby mitigating the SELinux relabeling issue without resorting to unsupported configurations.

3. Why does the customer need this? (List the business requirements here)

Cluster Stability and Uptime: The current SELinux relabeling issue directly impacts the stability and availability of the image-registry, which is a critical component of any OpenShift cluster. Providing a supported fix ensures consistent operation and reduces downtime.

Customer Confidence and Compliance: Relying on unsupportedConfigOverrides undermines customer confidence in the platform and can create compliance concerns for organizations with strict operational guidelines. A supported solution demonstrates Red Hat's commitment to providing reliable and maintainable features.

Reduced Operational Overhead: Customers are currently forced to implement and maintain an unsupported workaround. A supported configuration would simplify their operational procedures and reduce the burden of managing custom, potentially breaking, configurations.

Improved User Experience: Resolving a known and frequently encountered issue (as evidenced by the high linking rate of KCS [2]) through a supported channel significantly improves the overall user experience for OpenShift administrators and developers.
Prevention of Upgrade Blocks: The use of unsupportedConfigOverrides is a known risk for cluster upgrades. A supported solution eliminates this risk, ensuring smoother and more predictable upgrade paths for customers.

Addressing a Widespread Problem: The SELinux relabeling issue is not isolated to the image-registry but is a prevalent problem across various application workloads (KCS [2] has a linking rate of 364 cases). A supported solution for a core OpenShift component like the image-registry will set a precedent and demonstrate Red Hat's commitment to addressing this broader challenge.

4. List any affected packages or components.

image-registry

[1] https://access.redhat.com/solutions/7107463
[2] https://access.redhat.com/solutions/6221251