kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #41908 from kinvolk/rata/userns-1.28 

Doc update for userns in 1.28
pull/42462/head
Kubernetes Prow Robot 2023-08-08 11:33:52 -07:00 committed by GitHub
parent a2cf620ad5 c250efb81a
commit b23511b9d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
content/en/docs/concepts/workloads/pods/user-namespaces.md
View File

@ -46,19 +46,22 @@ tmpfs, Secrets use a tmpfs, etc.)
Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs, Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
ext4, xfs, fat, tmpfs, overlayfs. ext4, xfs, fat, tmpfs, overlayfs.
<!-- When merging this with the dev-1.27 branch conflicts will arise. The text
as it is in the dev-1.27 branch should be used. -->
In addition, support is needed in the In addition, support is needed in the
{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
to use this feature with Kubernetes stateless pods: to use this feature with Kubernetes pods:
* CRI-O: version 1.25 (and later) supports user namespaces for containers. * CRI-O: version 1.25 (and later) supports user namespaces for containers.
Please note that containerd v1.7 supports user namespaces for containers, containerd v1.7 is not compatible with the userns support in Kubernetes v1.27 to v{{< skew latestVersion >}}.
compatible with Kubernetes {{< skew currentPatchVersion >}}. It should not be used Kubernetes v1.25 and v1.26 used an earlier implementation that **is** compatible with containerd v1.7,
with Kubernetes 1.27 (and later). in terms of userns support.
If you are using a version of Kubernetes other than {{< skew currentVersion >}},
check the documentation for that version of Kubernetes for the most relevant information.
If there is a newer release of containerd than v1.7 available for use, also check the containerd
documentation for compatibility information.
Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet. You can see the status of user namespaces support in cri-dockerd tracked in an [issue][CRI-dockerd-issue]
on GitHub.
[CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
@ -72,7 +75,7 @@ A pod can opt-in to use user namespaces by setting the `pod.spec.hostUsers` fiel
to `false`. to `false`.
The kubelet will pick host UIDs/GIDs a pod is mapped to, and will do so in a way The kubelet will pick host UIDs/GIDs a pod is mapped to, and will do so in a way
to guarantee that no two stateless pods on the same node use the same mapping. to guarantee that no two pods on the same node use the same mapping.
The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always
refer to the user inside the container. refer to the user inside the container.
@ -89,7 +92,7 @@ Most applications that need to run as root but don't access other host
namespaces or resources, should continue to run fine without any changes needed namespaces or resources, should continue to run fine without any changes needed
if user namespaces is activated. if user namespaces is activated.
## Understanding user namespaces for stateless pods ## Understanding user namespaces for pods {#pods-and-userns}
Several container runtimes with their default configuration (like Docker Engine, Several container runtimes with their default configuration (like Docker Engine,
containerd, CRI-O) use Linux namespaces for isolation. Other technologies exist containerd, CRI-O) use Linux namespaces for isolation. Other technologies exist
@ -159,15 +162,6 @@ allowed to set any of:
* `hostIPC: true` * `hostIPC: true`
* `hostPID: true` * `hostPID: true`
The pod is allowed to use no volumes at all or, if using volumes, only these
volume types are allowed:
* configmap
* secret
* projected
* downwardAPI
* emptyDir
## {{% heading "whatsnext" %}} ## {{% heading "whatsnext" %}}
* Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/) * Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/)

6
content/en/docs/reference/command-line-tools-reference/feature-gates.md
View File

@ -205,7 +205,8 @@ For a reference to old feature gates that are removed, please refer to
| `TopologyManagerPolicyOptions` | `false` | Alpha | 1.26 | 1.27 | | `TopologyManagerPolicyOptions` | `false` | Alpha | 1.26 | 1.27 |
| `TopologyManagerPolicyOptions` | `true` | Beta | 1.28 | | | `TopologyManagerPolicyOptions` | `true` | Beta | 1.28 | |
| `UnknownVersionInteroperabilityProxy` | `false` | Alpha | 1.28 | | | `UnknownVersionInteroperabilityProxy` | `false` | Alpha | 1.28 | |
| `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | | | `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | 1.27 |
| `UserNamespacesSupport` | `false` | Alpha | 1.28 | |
| `ValidatingAdmissionPolicy` | `false` | Alpha | 1.26 | | | `ValidatingAdmissionPolicy` | `false` | Alpha | 1.26 | |
| `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - | | `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - |
| `WatchList` | false | Alpha | 1.27 | | | `WatchList` | false | Alpha | 1.27 | |
@ -774,7 +775,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
- `UnknownVersionInteroperabilityProxy`: Proxy resource requests to the correct peer kube-apiserver when - `UnknownVersionInteroperabilityProxy`: Proxy resource requests to the correct peer kube-apiserver when
multiple kube-apiservers exist at varied versions. multiple kube-apiservers exist at varied versions.
See [Mixed version proxy](/docs/concepts/architecture/mixed-version-proxy/) for more information. See [Mixed version proxy](/docs/concepts/architecture/mixed-version-proxy/) for more information.
- `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods. - `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods. This flag was renamed on newer releases to `UserNamespacesSupport`.
- `UserNamespacesSupport`: Enable user namespace support for Pods.
- `ValidatingAdmissionPolicy`: Enable [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) support for CEL validations be used in Admission Control. - `ValidatingAdmissionPolicy`: Enable [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) support for CEL validations be used in Admission Control.
- `VolumeCapacityPriority`: Enable support for prioritizing nodes in different - `VolumeCapacityPriority`: Enable support for prioritizing nodes in different
topologies based on available PV capacity. topologies based on available PV capacity.

18
content/en/docs/tasks/configure-pod-container/user-namespaces.md
View File

@ -9,9 +9,8 @@ min-kubernetes-server-version: v1.25
<!-- overview --> <!-- overview -->
{{< feature-state for_k8s_version="v1.25" state="alpha" >}} {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
This page shows how to configure a user namespace for stateless pods. This This page shows how to configure a user namespace for pods. This allows you to
allows to isolate the user running inside the container from the one in the isolate the user running inside the container from the one in the host.
host.
A process running as root in a container can run as a different (non-root) user A process running as root in a container can run as a different (non-root) user
in the host; in other words, the process has full privileges for operations in the host; in other words, the process has full privileges for operations
@ -41,7 +40,14 @@ this is true when user namespaces are used.
* The node OS needs to be Linux * The node OS needs to be Linux
* You need to exec commands in the host * You need to exec commands in the host
* You need to be able to exec into pods * You need to be able to exec into pods
* Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled. * You need to enable the `UserNamespacesSupport`
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
{{< note >}}
The feature gate to enable user namespaces was previously named
`UserNamespacesStatelessPodsSupport`, when only stateless pods were supported.
Only Kubernetes v1.25 through to v1.27 recognise `UserNamespacesStatelessPodsSupport`.
{{</ note >}}
The cluster that you're using **must** include at least one node that meets the The cluster that you're using **must** include at least one node that meets the
[requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin) [requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
@ -59,8 +65,8 @@ created without user namespaces.**
## Run a Pod that uses a user namespace {#create-pod} ## Run a Pod that uses a user namespace {#create-pod}
A user namespace for a stateless pod is enabled setting the `hostUsers` field of A user namespace for a pod is enabled setting the `hostUsers` field of `.spec`
`.spec` to `false`. For example: to `false`. For example:
{{< codenew file="pods/user-namespaces-stateless.yaml" >}} {{< codenew file="pods/user-namespaces-stateless.yaml" >}}