Authors: Rodrigo Campos (Microsoft), Giuseppe Scrivano (Red Hat)
Kubernetes v1.25 introduces the support for user namespaces.
This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from other pods running on the same system.
How does it work?
A process running on Linux can use up to 4294967296 different UIDs and GIDs.
User namespaces is a Linux feature that allows mapping a set of users in the container to different users in the host, thus restricting what IDs a process can effectively use. Furthermore, the capabilities granted in a new user namespace do not apply in the host initial namespaces.
Why is it important?
There are mainly two reasons why user namespaces are important:
improve security since they restrict the IDs a pod can use, so each pod can run in its own separate environment with unique IDs.
enable running workloads as root in a safer manner.
In a user namespace we can map the root user inside the pod to a non-zero ID outside the container, containers believe in running as root while they are a regular unprivileged ID from the host point of view.
The process can keep capabilities that are usually restricted to privileged pods and do it in a safe way since the capabilities granted in a new user namespace do not apply in the host initial namespaces.
How do I enable user namespaces?
At the moment, user namespaces support is opt-in, so you must enable it for a pod setting
false under the pod spec stanza:
apiVersion: v1 kind: Pod spec: hostUsers: false containers: - name: nginx image: docker.io/nginx
The feature is behind a feature gate, so make sure to enable the
UserNamespacesStatelessPodsSupport gate before you can use the new feature.
The runtime must also support user namespaces:
containerd: support is planned for the 1.7 release. See containerd issue #7063 for more details.
CRI-O: v1.25 has support for user namespaces.
Support for this in
cri-dockerd is not planned yet.
How do I get involved?
You can reach SIG Node by several means:
You can also contact us directly:
- GitHub / Slack: @rata @giuseppe