Document user namespace changes in v1.27 (KEP-127) (#39860)

* content: Update user namespaces version requirements Also, with the new implementation, the fsGroup was dropped. So removed the mention to those limitations. Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> * content: Add reference to the userns task in the concepts page Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com> --------- Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
2023-03-31 00:01:48 -03:00 · 2023-03-31 00:01:48 -03:00 · 2ffb037188
parent a4eca1afc6
commit 2ffb037188
2 changed files with 29 additions and 20 deletions
--- a/content/en/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@ -29,22 +29,36 @@ mitigate some future vulnerabilities too.
 <!-- body -->
 ## {{% heading "prerequisites" %}}

-{{% thirdparty-content single="true" %}}
-<!-- if adding another runtime in the future, omit the single setting -->
+{{% thirdparty-content %}}

-This is a Linux only feature. In addition, support is needed in the 
+This is a Linux-only feature and support is needed in Linux for idmap mounts on
+the filesystems used. This means:
+
+* On the node, the filesystem you use for `/var/lib/kubelet/pods/`, or the
+  custom directory you configure for this, needs idmap mount support.
+* All the filesystems used in the pod's volumes must support idmap mounts.
+
+In practice this means you need at least Linux 6.3, as tmpfs started supporting
+idmap mounts in that version. This is usually needed as several Kubernetes
+features use tmpfs (the service account token that is mounted by default uses a
+tmpfs, Secrets use a tmpfs, etc.)
+
+Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
+ext4, xfs, fat, tmpfs, overlayfs.
+
+In addition, support is needed in the 
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
 to use this feature with Kubernetes stateless pods:

-* CRI-O: v1.25 has support for user namespaces.
+* CRI-O: version 1.25 (and later) supports user namespaces for containers.

-* containerd: support is planned for the 1.7 release. See containerd
-  issue [#7063][containerd-userns-issue] for more details.
+Please note that containerd v1.7 supports user namespaces for containers,
+compatible with Kubernetes {{< skew currentVersion >}}. It should not be used
+with Kubernetes 1.27 (and later).

 Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet.

 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
-[containerd-userns-issue]: https://github.com/containerd/containerd/issues/7063

 ## Introduction

@ -152,13 +166,6 @@ volume types are allowed:
 * downwardAPI
 * emptyDir

-To guarantee that the pod can read the files of such volumes, volumes are
-created as if you specified `.spec.securityContext.fsGroup` as `0` for the Pod.
-If it is specified to a different value, this other value will of course be
-honored instead.
+## {{% heading "whatsnext" %}}

-As a by-product of this, folders and files for these volumes will have
-permissions for the group, even if `defaultMode` or `mode` to specific items of
-the volumes were specified without permissions to groups. For example, it is not
-possible to mount these volumes in a way that its files have permissions only
-for the owner.
+* Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/)
--- a/content/en/docs/tasks/configure-pod-container/user-namespaces.md
+++ b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
@ -43,11 +43,13 @@ this is true when user namespaces are used.
 * You need to be able to exec into pods
 * Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled.

-In addition, support is needed in the
-{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to use this feature with Kubernetes stateless pods:
+The cluster that you're using **must** include at least one node that meets the
+[requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
+for using user namespaces with Pods.

-* CRI-O: v1.25 has support for user namespaces.
+If you have a mixture of nodes and only some of the nodes provide user namespace support for
+Pods, you also need to ensure that the user namespace Pods are
+[scheduled](/docs/concepts/scheduling-eviction/assign-pod-node/) to suitable nodes.

 Please note that **if your container runtime doesn't support user namespaces, the
 `hostUsers` field in the pod spec will be silently ignored and the pod will be