STOR-2771: Add SELinuxMountGAReadiness FG

[jsafrane]

Starting in TechPreviewNoUpgrade.
See openshift/enhancements#2010

/hold
Waiting for the enhancement to merge.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@jsafrane: This pull request references STOR-2771 which is a valid jira issue.

Details

In response to this:

Starting in TechPreviewNoUpgrade.
See openshift/enhancements#2010

/hold
Waiting for the enhancement to merge.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2f45d37f-ac70-4625-937e-282d93f39df1

📥 Commits

Reviewing files that changed from the base of the PR and between d3390bd and 3f52e05.

📒 Files selected for processing (10)

• features.md
• features/features.go
• payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml

---

📝 Walkthrough

Walkthrough

This pull request introduces a new feature gate called SELinuxMountGAReadiness to the openshift/api repository. The feature gate is registered in code with Jira component metadata and contact person details, scoped to OpenShift-specific deployments. It is enabled for TechPreviewNoUpgrade and DevPreviewNoUpgrade release channels across both Hypershift and SelfManagedHA configurations, while remaining disabled in Default and OKD channels. Changes include the feature gate code registration, documentation in the feature gate status table, and updates to eight configuration manifest files.

Suggested reviewers

• JoelSpeed

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly identifies the main change: adding a new SELinuxMountGAReadiness feature gate with a concise reference to the JIRA issue.
Description check	✅ Passed	The description is related to the changeset, indicating where the feature gate starts (TechPreviewNoUpgrade) and referencing the enhancement PR for context.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files or test definitions. Modified files are feature documentation, Go feature gate registration, and YAML manifests only. Check is not applicable.
Test Structure And Quality	✅ Passed	Test code meets quality requirements: single responsibility, proper BeforeEach/AfterEach, explicit timeouts, meaningful assertions, and consistent patterns.
Microshift Test Compatibility	✅ Passed	PR adds only feature gate definitions and documentation, not new Ginkgo e2e tests. No test files or Ginkgo patterns (Describe, It, Context, When) detected in any modified files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; it only adds a feature gate registration and configuration. The SNO compatibility check applies only to new test additions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only feature gate metadata (documentation, registry entry, and manifest configurations). No deployment manifests, controller code, or pod scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR adds feature gate documentation and registration with no stdout writes in process-level code; all changes are configuration/documentation only with no fmt.Print, klog, or similar stdout operations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds feature gate configuration only (features.md, features.go, YAML manifests). No Ginkgo e2e tests added, so IPv6/disconnected network compatibility check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds feature gate SELinuxMountGAReadiness with no cryptographic code, weak algorithms, custom crypto, or unsafe token/secret comparisons detected.
Container-Privileges	✅ Passed	PR adds feature gate registration and configuration with no container specs, pod definitions, or privileged patterns like privileged: true or hostPID.
No-Sensitive-Data-In-Logs	✅ Passed	PR adds a feature gate registration with no logging statements that expose sensitive data. Contact metadata is stored internally but never logged or exposed via public APIs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @jsafrane! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment