From 6b6fa0f882dba14dce655952f02c733acfc02ed6 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 31 Aug 2025 10:55:49 -0500
Subject: [PATCH] ci: Skip SELinux relabel on start

By default, CRI-O assigns a random SELinux category to every pod, and
then must adjust the label of every file and directory in the persistent
volume to match.  For very large volumes like a Buildroot output
directory, this can take quite some time.  Fortunately, if we assign a
static category, we can tell CRI-O to skip the relabel step.
---
 ci/podTemplate.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml
index a15cc3b..5366644 100644
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@@ -1,3 +1,6 @@
+metadata:
+  annotations:
+    io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
 spec:
   containers:
   - name: build
@@ -13,6 +16,8 @@ spec:
       subPath: ssh_known_hosts
   securityContext:
     fsGroupChangePolicy: OnRootMismatch
+    seLinuxOptions:
+      level: s0:c596,c675
   volumes:
   - name: ssh-known-hosts
     configMap: