Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
blog: Add blogpost for user namespaces in 1.25
Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
- Loading branch information
Showing
1 changed file
with
81 additions
and
0 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
content/en/blog/_posts/2022-08-29-add-userns-alpha/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
--- | ||
layout: blog | ||
title: User namespace alpha support | ||
date: 2022-08-29 | ||
slug: userns-alpha | ||
canonicalUrl: https://gateway-api.sigs.k8s.io/blog/2022/graduating-to-beta/ | ||
--- | ||
|
||
**Authors:** Rodrigo Campos (Microsoft), Giuseppe Scrivano (Red Hat) | ||
|
||
Kubernetes v1.25 introduces the support for user namespaces. | ||
|
||
This is a major improvement for running secure workloads in | ||
Kubernetes. Each pod will have access only to a limited subset of the | ||
available UIDs and GIDs on the system, thus adding a new security | ||
layer to protect from other pods running on the same system. | ||
|
||
## How does it work? | ||
A process running on Linux can use up to 4294967296 different UIDs and | ||
GIDs. | ||
|
||
User namespaces is a Linux feature that allows mapping a set of users | ||
in the container to different users in the host, thus restricting what | ||
IDs a process can effectively use. | ||
Furthermore, the capabilities granted in a user namespace are valid | ||
only in the namespace, not at the system level. | ||
|
||
## Why is it important? | ||
There are mainly two reasons why user namespaces are important. First | ||
they improve security since they restrict the IDs a pod can use, so | ||
each pod can run in its own separate environment with unique IDs. | ||
The second reason is that they enable running workloads as root in a | ||
safer manner: in a user namespace can map the root user inside the pod | ||
to a non-zero ID outside the container, containers believe in running as | ||
root while they are a regular unprivileged ID from the host point of | ||
view. Inside the user namespace, the process can keep capabilities, | ||
that are usually restricted to privileged pods and do it in a safe | ||
way since the kernel restricts these capabilities to the user | ||
namespace itself. | ||
|
||
## How to enable user namespaces? | ||
At the moment, user namespaces support is opt-in, so you must enable | ||
it for a pod setting `hostUsers` to `false` under the pod spec stanza: | ||
``` | ||
apiVersion: v1 | ||
kind: Pod | ||
spec: | ||
hostUsers: false | ||
containers: | ||
- name: nginx | ||
image: docker.io/nginx | ||
resources: | ||
limits: | ||
memory: "64Mi" | ||
cpu: "500m" | ||
``` | ||
|
||
The feature is behind a feature gate, so make sure to enable | ||
the `UserNamespacesStatelessPodsSupport=true` gate before you can use | ||
the new feature. | ||
|
||
The CRI runtime must also support user namespace: | ||
|
||
* CRI-O: v1.25 has support for user namespaces. | ||
|
||
* containerd: support is planned for the 1.7 release. See containerd | ||
issue [#7063][containerd-userns-issue] for more details. | ||
|
||
Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet. | ||
|
||
[CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74 | ||
[containerd-userns-issue]: https://github.com/containerd/containerd/issues/7063 | ||
|
||
## How do I get involved? | ||
You can reach SIG Node by several means: | ||
- Slack: [#sig-node](https://kubernetes.slack.com/messages/sig-node) | ||
- [Mailing list](https://groups.google.com/forum/#!forum/kubernetes-sig-node) | ||
- [Open Community Issues/PRs](https://github.com/kubernetes/community/labels/sig%2Fnode) | ||
|
||
You can also contact us directly: | ||
- GitHub / Slack: @rata @giuseppe |