Merge pull request #41908 from kinvolk/rata/userns-1.28

Doc update for userns in 1.28
2023-08-08 11:33:52 -07:00 · 2023-08-08 11:33:52 -07:00 · b23511b9d0
parent a2cf620ad5 c250efb81a
commit b23511b9d0
3 changed files with 28 additions and 26 deletions
--- a/content/en/docs/concepts/workloads/pods/user-namespaces.md
+++ b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@ -46,19 +46,22 @@ tmpfs, Secrets use a tmpfs, etc.)
 Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
 ext4, xfs, fat, tmpfs, overlayfs.

-<!-- When merging this with the dev-1.27 branch conflicts will arise. The text
-as it is in the dev-1.27 branch should be used. -->
 In addition, support is needed in the 
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to use this feature with Kubernetes stateless pods:
+to use this feature with Kubernetes pods:

 * CRI-O: version 1.25 (and later) supports user namespaces for containers.

-Please note that containerd v1.7 supports user namespaces for containers,
-compatible with Kubernetes {{< skew currentPatchVersion >}}. It should not be used
-with Kubernetes 1.27 (and later).
+containerd v1.7 is not compatible with the userns support in Kubernetes v1.27 to v{{< skew latestVersion >}}.
+Kubernetes v1.25 and v1.26 used an earlier implementation that **is** compatible with containerd v1.7,
+in terms of userns support.
+If you are using a version of Kubernetes other than {{< skew currentVersion >}},
+check the documentation for that version of Kubernetes for the most relevant information.
+If there is a newer release of containerd than v1.7 available for use, also check the containerd
+documentation for compatibility information.

-Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet.
+You can see the status of user namespaces support in cri-dockerd tracked in an [issue][CRI-dockerd-issue]
+on GitHub.

 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74

@ -72,7 +75,7 @@ A pod can opt-in to use user namespaces by setting the `pod.spec.hostUsers` fiel
 to `false`.

 The kubelet will pick host UIDs/GIDs a pod is mapped to, and will do so in a way
-to guarantee that no two stateless pods on the same node use the same mapping.
+to guarantee that no two pods on the same node use the same mapping.

 The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always
 refer to the user inside the container.
@ -89,7 +92,7 @@ Most applications that need to run as root but don't access other host
 namespaces or resources, should continue to run fine without any changes needed
 if user namespaces is activated.

-## Understanding user namespaces for stateless pods
+## Understanding user namespaces for pods {#pods-and-userns}

 Several container runtimes with their default configuration (like Docker Engine,
 containerd, CRI-O) use Linux namespaces for isolation. Other technologies exist
@ -159,15 +162,6 @@ allowed to set any of:
 * `hostIPC: true`
 * `hostPID: true`

-The pod is allowed to use no volumes at all or, if using volumes, only these
-volume types are allowed:
-
- * configmap
- * secret
- * projected
- * downwardAPI
- * emptyDir
-
 ## {{% heading "whatsnext" %}}

 * Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/)
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@ -205,7 +205,8 @@ For a reference to old feature gates that are removed, please refer to
 | `TopologyManagerPolicyOptions` | `false` | Alpha | 1.26 | 1.27 |
 | `TopologyManagerPolicyOptions` | `true` | Beta | 1.28 | |
 | `UnknownVersionInteroperabilityProxy` | `false` | Alpha | 1.28 | |
-| `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | |
+| `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | 1.27 |
+| `UserNamespacesSupport` | `false` | Alpha | 1.28 | |
 | `ValidatingAdmissionPolicy` | `false` | Alpha | 1.26 | |
 | `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - |
 | `WatchList` | false | Alpha | 1.27 | |
@ -774,7 +775,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `UnknownVersionInteroperabilityProxy`: Proxy resource requests to the correct peer kube-apiserver when
  multiple kube-apiservers exist at varied versions.
  See [Mixed version proxy](/docs/concepts/architecture/mixed-version-proxy/) for more information.
- `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods.
+- `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods. This flag was renamed on newer releases to `UserNamespacesSupport`.
+- `UserNamespacesSupport`: Enable user namespace support for Pods.
 - `ValidatingAdmissionPolicy`: Enable [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) support for CEL validations be used in Admission Control.
 - `VolumeCapacityPriority`: Enable support for prioritizing nodes in different
  topologies based on available PV capacity.
--- a/content/en/docs/tasks/configure-pod-container/user-namespaces.md
+++ b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
@ -9,9 +9,8 @@ min-kubernetes-server-version: v1.25
 <!-- overview -->
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}

-This page shows how to configure a user namespace for stateless pods. This
-allows to isolate the user running inside the container from the one in the
-host.
+This page shows how to configure a user namespace for pods. This allows you to
+isolate the user running inside the container from the one in the host.

 A process running as root in a container can run as a different (non-root) user
 in the host; in other words, the process has full privileges for operations
@ -41,7 +40,14 @@ this is true when user namespaces are used.
 * The node OS needs to be Linux
 * You need to exec commands in the host
 * You need to be able to exec into pods
-* Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled.
+* You need to enable the `UserNamespacesSupport`
+  [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+
+{{< note >}}
+The feature gate to enable user namespaces was previously named
+`UserNamespacesStatelessPodsSupport`, when only stateless pods were supported.
+Only Kubernetes v1.25 through to v1.27 recognise `UserNamespacesStatelessPodsSupport`.
+{{</ note >}}

 The cluster that you're using **must** include at least one node that meets the
 [requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
@ -59,8 +65,8 @@ created without user namespaces.**

 ## Run a Pod that uses a user namespace {#create-pod}

-A user namespace for a stateless pod is enabled setting the `hostUsers` field of
-`.spec` to `false`. For example:
+A user namespace for a pod is enabled setting the `hostUsers` field of `.spec`
+to `false`. For example:

 {{< codenew file="pods/user-namespaces-stateless.yaml" >}}