-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support user namespaces phase I in Kubernetes 1.25+ #7063
Comments
(c) fuse-overlayfs with its own usermode idmap containerd/snapshotter_opts_unix.go Lines 28 to 36 in 6fa9588
But anyway we should prioritize (a) |
@AkihiroSuda I agree, (a) is very important. And added (c) now, thanks! Do you know if fuse-overlayfs supports exposing the image with permissions changed without the storage overhead of a chown (nor the file nor the inodes usage, we can reduce the storage using metacopy but we use a lot of inodes) and without the latency startup of a chown too? |
This version contains the CRI changes for user namespaces support. Future patches will use the new fields in the CRI. Updating the module without using the new fields doesn't cause any behaviour change. Updates: containerd#7063 Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This version contains the CRI changes for user namespaces support. Future patches will use the new fields in the CRI. Updating the module without using the new fields doesn't cause any behaviour change. Updates: containerd#7063 Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This version contains the CRI changes for user namespaces support. Future patches will use the new fields in the CRI. Updating the module without using the new fields doesn't cause any behaviour change. Updates: containerd#7063 Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This version contains the CRI changes for user namespaces support. Future patches will use the new fields in the CRI. Updating the module without using the new fields doesn't cause any behaviour change. Updates: containerd#7063 Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
This version contains the CRI changes for user namespaces support. Future patches will use the new fields in the CRI. Updating the module without using the new fields doesn't cause any behaviour change. Updates: containerd#7063 Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
What is the problem you're trying to solve
Kubernetes 1.25 will have support for user namespaces, the phase I of the KEP will be implemented and I'm planning to write the containerd patches for that too (I have an early prototype already).
Please note that phase 1 as described in the KEP doesn't support volumes except for ephemeral ones that have the same lifecycle of the pod, like secret or configmaps mounted as volumes. The kubelet will create the files for those volumes with the proper permissions so the user in the userns can read it. In other words, nothing to do in the container runtime for volumes yet :)
Describe the solution you'd like
The containerd implementation will have to solve the following items.
Bear in mind I will create an issue in the following days, if one doesn't exist already, for each item to explain it in more detail:
Additional context
It will be great if anyone else wants to help with any of these issues, you can write me in the CNCF slack or k8s slack. You can find me there as Rodrigo Campos/rata, we can coordinate to not duplicate efforts :)
I'll focus first on the Kubernetes bits, as we have a tight deadline for 1.25. So, don't worry if I take some time to start opening PRs for this in containerd :)
The text was updated successfully, but these errors were encountered: