Empty seLinuxOptions Blocks Trigger K8sPSPSELinuxV2

Empty SELinux blocks are causing the K8sPSPSELinuxV2 policy to get activated and blocking installations.

seLinuxOptions: {}

This has been seen in Thanos and Redis packages (redis was seen via the argocd installation getting blocked)

{"level":"info","ts":1706025263.6377065,"logger":"webhook","msg":"denied admission: SELinux options is not allowed, pod: argocd-argocd-redis-bb-master-0, container metrics. Allowed options: []","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"selinux-policy","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sPSPSELinuxV2","constraint_action":"deny","resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"argocd","resource_name":"argocd-argocd-redis-bb-master-0","request_username":"system:serviceaccount:kube-system:statefulset-controller"}

It seems too that adding a gatekeeper policy exception does not work. The only known work-around at the moment is to make sure the packages don't declare an empty seLinuxOptions: {} block . For example, adding these to the exceptions list did not work.

      - thanos/thanos-query-frontend-.?
      - thanos/thanos-query-.?
      - thanos/thanos-storagegateway-.?

or

      - thanos/.*

or

      - thanos/.?

Relates to thanos#33 (closed)