From b8ccbd0b09db4671a553027968176fd1cd8bb52c Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 1 Dec 2022 21:35:02 -0600
Subject: [PATCH] jenkins: Avoid SELinux relabel of data dir

Setting a static SELinux level for the container allows CRI-O to skip
relabeling all the files in the persistent volume each time the
container starts.  For this to work, the pod needs a special annotation,
and CRI-O itself has to be configured to respect it:

```toml
[crio.runtime.runtimes.runc]
allowed_annotations = ["io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel"]
```

This *dramatically* improves the start time of the Jenkins container.
Instead of taking 5+ minutes, it now starts instantly.

https://github.com/cri-o/cri-o/issues/6185#issuecomment-1334719982
---
 jenkins/jenkins.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/jenkins/jenkins.yaml b/jenkins/jenkins.yaml
index 1cadfb3..9387c18 100644
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -108,6 +108,8 @@ spec:
       app.kubernetes.io/instance: jenkins
   template:
     metadata:
+      annotations:
+        io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel: 'true'
       labels:
         app.kubernetes.io/name: jenkins
         app.kubernetes.io/component: master
@@ -122,6 +124,9 @@ spec:
           containerPort: 8080
         - name: jnlp
           containerPort: 40414
+        securityContext:
+          seLinuxOptions:
+            level: s0:c525,c600
         volumeMounts:
         - name: jenkins-data
           mountPath: /var/jenkins_home