k8s: SELinux Volume Label Changes goes GA (and likely implications in v1.37)
Kubernetes Official Blog
2026-04-22
Kubernetes v1.36 introduces stable Pod field `spec.securityContext.seLinuxChangePolicy` and a new optional `selinux-warning-controller` to help prepare for a likely v1.37 default-on `SELinuxMount` change. When SELinux is enabled, mounts can switch from recursive relabeling to mount-time labeling, which improves performance but can break some shared-volume patterns; clusters should audit for conflicts and opt out per Pod with `Recursive` if needed.