Support User Namespaces in pods

[derekwaynecarr]

Enhancement Description

• One-line enhancement description (can be used as a release note): Add support for user namespaces in pods
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md
• Discussion Link: This was discussed in several sig-node meetings, most notable Nov 2 2021 and in this PR, that feedback was incorporated already by this KEP is taking: keps/127: Support User Namespaces #2101.
• Primary contact (assignee): @rata @giuseppe
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta1 release target (x.y): 1.30
  • Beta2 release target (x.y): 1.33
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • v1.24 127: Add KEP for user namespaces support #3065
    • v1.25 KEP-127: Mark as implementable (target phase I for 1.25) #3275
    • v1.27 KEP-127: Support userns in stateless pods with idmap mounts #3811
    • v1.28 [KEP-127] Add Pod Security Standards to User Namespaces KEP #4044
    • v1.28 KEP-127: add support for stateful pods #4084
    • v1.28 KEP-127: Fix user namespaces feature gate name #4107
    • v1.28 KEP-127: Update feature gate name and update last-milestone for 1.29 #4147
  • Code (k/k) update PR(s):
    • v1.27 KEP-127: user namespace support for stateless pods kubernetes#116377
    • v1.28 apis: drop check for volumes with user namespaces kubernetes#118691
    • v1.29 KEP-127: Update PSS based on feature gate kubernetes#118760
  • Docs (k/website) update PR(s):
    • v1.27 Document user namespace changes in v1.27 (KEP-127) website#39860
    • v1.28 Doc update for userns in 1.28 website#41908 (v1.28)
    • v1.29 [KEP-127] Add documentation about user namespaces and PSS website#43803 (v1.29)
• Beta 1 （default off）
  • KEP (k/enhancements) update PR(s):
    • KEP-127: graduate to Beta for 1.30 #4439
  • Code (k/k) update PR(s):
    • KEP-127: require userns support from the CRI runtime before using it kubernetes#123216
    • KEP-127: kubelet: honor kubelet user mappings kubernetes#123593
    • KEP-127: Add UserNamespacesPodSecurityStandards e2e test kubernetes#121606
  • Docs (k/website) update(s):
    • Feature blog 1.30: user namespaces website#45354
    • User namespaces doc changes for 1.30 website#45178
• Beta 2 （default on）
  • KEP (k/enhancements) update PR(s):
    • KEP-127: update beta to be on by default #5118
    • KEP-127 (UserNS): allow customizing subids length  #5020
    • KEP-127: Update userns KEP template to latest and and answer more sections #5141
  • Code PRs for 1.33:
    • features: Enable user namespaces by default kubernetes#130138
    • kubelet: config: add userNamespaces.idsPerPod kubernetes#130028
    • Revert userns kernel check kubernetes#130243
  • Doc PR for 1.33:
    • user-namespaces: add idsPerPod configuration website#49749

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[derekwaynecarr]

This work is being done by @pweil- and is reviewed by @derekwaynecarr, it is sponsored by @kubernetes/sig-node

[mdshuai]

@derekwaynecarr Could you help create a user story card for this feature?

[idvoretskyi]

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

[pweil-]

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

Yes, this feature is experimental only so it would be considered alpha.

[idvoretskyi]

@derekwaynecarr @pweil- can you confirm that this item targets beta in 1.6?

[adelton]

@derekwaynecarr, the proposal kubernetes/kubernetes#34569 was closed by bot due to inactivity.

@pweil-, in kubernetes/kubernetes#34569 (comment) you've proposed the approach pweil-/kubernetes@16f29eb which changes the group of /var/lib/kubelet/pods to the remapped root group. Do I understand it correctly that this is currently not tracked in any pull request?

[adelton]

@pweil-, I also wonder if similar to docker's /var/lib/docker/<uid>.<gid> approach when --userns-remap is used, it might make sense to use /var/lib/kubelet/pods-<uid>.<gid> and just chown/chgroup everything in those subdirectories to the remapped <uid>.<gid>. Why did you opt for just the chgrp and not the full chown?

[pweil-]

@adelton in the end, I think having this be transparent to Kubernetes is the right approach. Whether that be something like shiftfs or implementation in the CRI (moby/moby#28593). You are correct that my existing proposal is not currently tracked in an open PR anymore.

The reasoning behind using the chgrp was to follow our fsgroup strategy where we just ensure group access instead of uid access.

[adelton]

Thanks @pweil-.

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

[pweil-]

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question 😄

As for the fsgroup strategy, do you mean https://kubernetes.io/docs/concepts/policy/pod-security-policy/#fsgroup or some generic methodology within Kubernetes?

Yes

I have now filed kubernetes/kubernetes#55707 as an alternative approach where I make the remapped uid/gid an explicit option, and use those values to chown/chgrp the necessary directories.

👍 subscribed

[adelton]

When you say transparent, you mean that nothing should be needed to be added to code or to configuration on Kubernetes' side to allow running under docker with userns-remap?

that would be ideal. Whether that is feasible (or more likely, feasible in an acceptable time frame) is another question

Ideally, the pod would specify how many distinct uids/gids it would require / list of uids it wants to see inside of the containers, and docker or different container runtime would setup the user namespace accordingly. But unless docker also changes ownership of the volumes mounted to the containers, Kubernetes will have to do that as part of the setup.

[adelton]

@pwel-, what is the best way to get some review and comments on kubernetes/kubernetes#55707, to get it closer to mergeable state?

[0xmichalis]

@pweil- ^

[pweil-]

@adelton I would try to engage the sig-node folks either at their Tuesday meeting or on slack: https://github.com/kubernetes/community/tree/master/sig-node

[adelton]

@derekwaynecarr, could you please bring kubernetes/kubernetes#55707 to sig-node's radar?

[idvoretskyi]

@pweil- @derekwaynecarr any progress on this feature is expected?

[k8s-ci-robot]

@kannon92: The provided milestone is not valid for this repository. Milestones in this repository: [v1.25, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, v1.33, v1.34]

Use /milestone clear to clear the milestone.

In response to this:

/milestone v.133

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kannon92]

/milestone v.1.33

[k8s-ci-robot]

@kannon92: The provided milestone is not valid for this repository. Milestones in this repository: [v1.25, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, v1.33, v1.34]

Use /milestone clear to clear the milestone.

In response to this:

/milestone v.1.33

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lzung]

/milestone v1.33

Hello @rata @giuseppe 👋, v1.33 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

This enhancement is targeting stage beta for v1.33 (correct me, if otherwise)
/stage beta

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.33.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 6th February 2025 so that the PRR team has enough time to review your KEP.

For this KEP, we would just need to update the following:

• Can you please update your KEP readme to use the latest template, and make sure to fill out all required sections?
• Release Signoff Checklist is missing subbullets for Test plan is in place, giving consideration to SIG Architecture and SIG Testing input (including test refactors) and Graduation criteria is in place
• Missing response for Risks and Mitigations
• Missing response for Prerequisite testing updates
• Missing response for What steps should be taken if SLOs are not being met to determine the problem?
• No Drawbacks but this is not vital

The status of this enhancement is marked as At risk for enhancements freeze. Please keep the issue description up-to-date with appropriate stages as well.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[rata]

@lzung the KEP is already at beta. Currently it is beta disabled by default, we are aiming for beta enabled by default. Do we need to do all of that in this tight deadline or just when we migrate to GA (with lot of other things)?

[kannon92]

@lzung the KEP is already at beta. Currently it is beta disabled by default, we are aiming for beta enabled by default. Do we need to do all of that in this tight deadline or just when we migrate to GA (with lot of other things)?

Yes, please follow the template.

All you need to do is update the KEP to the latest template.

[rata]

@kannon92 oh, I missed it was way simpler than I expected. Thanks for pointing it out! :)

PR in place to update to the latest KEP template: #5141

[gnufied]

sig-storage has some valid concerns around removal of persistent-volume restrictions that were dropped here - https://github.com/kubernetes/enhancements/pull/4084/files

See previous discussion around - kubernetes/kubernetes#111090 (comment)

It is not clear if idmap's limitations about 1:1 mapping of gids were addressed in Linux kernel. It is not clear if idmap mounts can squash multiple gids when creating mapping.

cc @dobsonj @msau42 @jsafrane @liggitt

[rata]

@gnufied Thanks for taking a look!

The comment you link to is outdated and no longer valid. The phase I design was completely changed, and those comments don't apply anymore. Let me elaborate.

The phase I PR when I opened it (I changed it before merging, more on that later), only supported secrets/configmaps and emptydir volumes and did so by changing the permissions of those. After a meeting with you, we changed it to use fsGroup and then we merged it for 1.25. The commend you did was relevant to that fsGroup design

In 1.27 we completely changed the design; we are not using fsGroup anymore and just rely on idmap mounts. I don't know to what issue you refer to now, so I can't answer your concern. But I'll add some info that might be relevant. Please, though, explain what issue you see now with the new desging.

You are the storage expert, so correct me if some CSI drivers do something differently. IIUC a CSI driver does:

mount -o gid=100 XXX /some/path/mount

After the CSI drives does the mount, then when the kubelet creates a container it just sends over CRI to create a bind-mount of /some/path/mount to a location inside the container rootfs. When userns are in use, this will create an idmap bind-mount for the path.

So, the gid squashing is not an issue, that is done by the "device-mount call" (the first mount, done by the CSI driver), then the idmap bind-mount (the second mount, done by runc) just creates a mapping for that, there is no need to squash anything and all works fine. For example:

# mount -o gid=100 /dev/sda3 mount/
# ls -ln mount/
total 64
drwxr-xr-x 2 0 100 32768 Jan 29 15:53  print
drwxr-xr-x 2 0 100 32768 Nov  8 18:08 'System Volume Information'
# mount -o X-mount.idmap=b:100:200:1 --bind mount/ idmap-bind-mount/
# ls -ln idmap-bind-mount/
total 64
drwxr-xr-x 2 65534 200 32768 Jan 29 15:53  print
drwxr-xr-x 2 65534 200 32768 Nov  8 18:08 'System Volume Information'

So, as you see, if the CSI driver does the -o gid when mounting the device, then the idmap mount later will work fine. The squashing is done at device-mount time, not at bind-mount time.

But is there some CSI driver not doing that? Do you have any example I can repro with local-up-cluster.sh?

[giuseppe]

sig-storage has some valid concerns around removal of persistent-volume restrictions that were dropped here - https://github.com/kubernetes/enhancements/pull/4084/files

See previous discussion around - kubernetes/kubernetes#111090 (comment)

It is not clear if idmap's limitations about 1:1 mapping of gids were addressed in Linux kernel. It is not clear if idmap mounts can squash multiple gids when creating mapping.

the user namespace mapping is a bijective function, each ID in the user namespace can be mapped only to an ID outside the user namespace. There is nothing like squashing of ids in the kernel,

cc @dobsonj @msau42 @jsafrane @liggitt

[sftim]

the user namespace mapping is a bijective function, each ID in the user namespace can be mapped only to an ID outside the user namespace. There is nothing like squashing of ids in the kernel,

It's not bijective. You can map a subset of the outer UID range into the user namespace. It's true that each ID in the user namespace can be mapped only to an ID outside the user namespace but it's actually an injective relationship in terms of set theory.

[dipesh-rawat]

Hi @rata @giuseppe 👋, 1.33 Enhancements team here,

Just a quick friendly reminder as we approach the enhancements freeze later this week, at 02:00 UTC Friday 14th February 2025 / 19:00 PDT Thursday 13th February 2025.

The current status of this enhancement is marked as At risk for enhancement freeze. There are a few requirements mentioned in the comment #127 (comment) that still need to be completed.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[gnufied]

But is there some CSI driver not doing that? Do you have any example I can repro with local-up-cluster.sh?

Not all CSI drivers use -o gid on first mount. In fact most don't. Only CSI drivers with capability VOLUME_MOUNT_GROUP do that. For other volume styles, the entire volume gets recursively chown/chmod (using given fsGroup) before bind mount can be prepared by the CRI.

But certain brown field volumes if they are using OnRootMismatch policy may not have uniform GID based ownership, either via recursive chown/chmod call or via mount -o gid. Will this be a problem?

I have been testing user namespace feature on a single node Fedora41 VM, with everything latest and for persistent volumes, what I have found is, no fsGroup based idmap is specified when bind mounts are created. @haircommander helped me a bit to understand the feature a bit more. If I print /run/containers/storage/overlay-containers/78407c092388b897c4d73b3e349b150bf31c024233c00b79addfa20cdb2c57db/userdata/config.json, I see following mapping:

                {
                        "destination": "/mnt/test",
                        "type": "bind",
                        "source": "/var/lib/kubelet/pods/0954e329-63f9-4448-ba2a-c47eb8d111b6/volumes/kubernetes.io~csi/pvc-0cdb10fb-7907-499f-9bfc-eeb90a51143c/mount",
                        "options": [
                                "rbind",
                                "rprivate",
                                "rw",
                                "bind"
                        ],
                        "uidMappings": [
                                {
                                        "containerID": 0,
                                        "hostID": 3007119360,
                                        "size": 65536
                                }
                        ],
                        "gidMappings": [
                                {
                                        "containerID": 0,
                                        "hostID": 3007119360,
                                        "size": 65536
                                }
                        ]

Where pod is using runAsUser: 9999 and fsGroup: 9999. The volume on the host have same GID of 9999 as 9999 inside container. It is as if, container was not using user namespaces at all. :-) I thought gidMappings will actually specify a mapping that will have something like 9999->9999 but it doesn't. Is this expected?

[rata]

@gnufied

But certain brown field volumes

What do you mean with brown field volumes? What is that? An empty persistent volume?

But certain brown field volumes if they are using OnRootMismatch policy may not have uniform GID based ownership, either via recursive chown/chmod call or via mount -o gid. Will this be a problem?

No. As I shown in the previous comment, if the first mount is done with -o gid it should just work. If there is a way to test this locally with a CSI driver that does this, please let me know how or go ahead and test it. But as I shown in the code example in my previous comment, this works just fine. The recursive chown is not an issue either, it is designed to work fine.

Where pod is using runAsUser: 9999 and fsGroup: 9999. The volume on the host have same GID of 9999 as 9999 inside container. It is as if, container was not using user namespaces at all. :-) I thought gidMappings will actually specify a mapping that will have something like 9999->9999 but it doesn't. Is this expected?

Yes, exactly! We designed it so you can use persistent storage as if userns was not there. This is what idmap mounts gives us (and some other stuff). You are running a user/group 3007119360 + 9999 on the host and access the volume files just fine. You can even disable user namespaces, change the volume and enable it again. It will all just work :-).

[sftim]

Brownfield storage is when the underlying block storage is reused but scrubbed. It's analogous to brownfield land.

By contrast, you could delete the block level storage and provision a completely empty block volume on which you build a filesystem that you then mount. That's analogous to a greenfield build.

You can also apply this to NAS; for example, you take an existing file-based volume and delete it back to one root inode. Then you reuse that with a different purpose for a new set of Pods.

[gnufied]

Thanks @rata and @giuseppe for explanations. I have tested userns feature with different volume scenarios, such as - using subpath (with different fsgroup), using brownfield volumes with different gid ownership etc and it appears to work.

[rata]

@lzung @kannon92 @dipesh-rawat All those things were just addressed and the PR is merged! #5141 (comment)

[dipesh-rawat]

Hello @rata @giuseppe 👋, 1.33 Enhancements team here,

Now that PR #5141 has been merged, all the KEP requirements are in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

(cc: @lzung)

/label tracked/yes

[rayandas]

Hello @rata @giuseppe 👋, v1.33 Docs Lead here.

Does this enhancement work planned for v1.33 require any new docs or modification to existing docs?

If so, please follow the steps here to open a PR against dev-1.33 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday 27th February 2025 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

[rata]

@AkihiroSuda wanna handle the doc PR too? You can cc me so I review, if you want :)

[AkihiroSuda]

@AkihiroSuda wanna handle the doc PR too? You can cc me so I review, if you want :)

Yes, thanks

• user-namespaces: add idsPerPod configuration website#49749

[rata]

Code PRs for 1.33:

• features: Enable user namespaces by default kubernetes#130138
• kubelet: config: add userNamespaces.idsPerPod kubernetes#130028
  Doc PR for 1.33:
• user-namespaces: add idsPerPod configuration website#49749

[aojea]

@rata I've updated the description with those links so they don't get lost on the comments thread

[rata]

@aojea thanks! I can't edit the original issue description :)