Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

user-namespaces: add idsPerPod configuration #49749

Draft
wants to merge 1 commit into
base: dev-1.33
Choose a base branch
from
Draft

user-namespaces: add idsPerPod configuration #49749

wants to merge 1 commit into from

Conversation

AkihiroSuda
Copy link
Member

Description

Kubernetes v1.33 will support setting userNamespaces.idsPerPod in KubeletConfiguration.

Depends on:

Issue

Closes: NONE

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 14, 2025
@AkihiroSuda AkihiroSuda marked this pull request as draft February 14, 2025 02:10
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. language/en Issues or PRs related to English language size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 14, 2025
This was referenced Feb 14, 2025
Open
Open
@AkihiroSuda
Copy link
Member Author

cc @rata

@netlify Netlify
Copy link

netlify bot commented Feb 14, 2025

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 4691c9c
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67aea5f71f51ab0008718003
😎 Deploy Preview https://deploy-preview-49749--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify Netlify
Copy link

netlify bot commented Feb 14, 2025
edited
Loading

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit ba6bf9d
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/67b836e071e9640009094d29
😎 Deploy Preview https://deploy-preview-49749--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

rata
rata approved these changes Feb 14, 2025
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Left an idea of a possible clarification, but I'm not the best with wordings, feel free to leave it out :D

@rata
Copy link
Member

rata commented Feb 14, 2025

@AkihiroSuda the change LGTM, however I just realize it's against the wrong branch. See the comment, it should be against the branch dev-1.33. Can you adjust that?

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Feb 21, 2025
@AkihiroSuda AkihiroSuda changed the base branch from main to dev-1.33 February 21, 2025 08:17
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 21, 2025
@AkihiroSuda
user-namespaces: add idsPerPod configuration
ba6bf9d 
Kubernetes v1.33 will support setting `userNamespaces.idsPerPod`
in `KubeletConfiguration`.

Depends on k/k PR 130028

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 21, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rata
Once this PR has been reviewed and has the lgtm label, please assign salaxander for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@netlify Netlify
Copy link

netlify bot commented Feb 21, 2025

👷 Deploy Preview for kubernetes-io-vnext-staging processing.

Name Link
🔨 Latest commit ba6bf9d
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/67b836e070aed40008558a44

rata
rata reviewed Feb 21, 2025
View reviewed changes
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@AkihiroSuda found another place we needed to update, left a suggestion on how to change it. Other than that, I think you can mark this PR as ready for review :)

content/en/docs/concepts/workloads/pods/user-namespaces.md
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file, above this diff says:

The valid UIDs/GIDs when this feature is enabled is the range 0-65535. This applies to files and processes (runAsUser, runAsGroup, etc.).

Files using a UID/GID outside this range will be seen as belonging to the overflow ID, usually 65534 (configured in /proc/sys/kernel/overflowuid and /proc/sys/kernel/overflowgid). However, it is not possible to modify those files, even by running as the 65534 user/group.

What if we add a note there (a "by default" in the first paragraph and a note after these two paragraphs), like:

By default, the valid UIDs/GIDs when this feature is enabled is the range 0-65535. This applies to files and processes (runAsUser, runAsGroup, etc.). 

Files using a UID/GID outside this range will be seen as belonging to the overflow ID, usually 65534 (configured in /proc/sys/kernel/overflowuid and /proc/sys/kernel/overflowgid). However, it is not possible to modify those files, even by running as the 65534 user/group.

If the range 0-65536 is extended with a configuration knob, the aforementioned restrictions apply to the extended range.

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@rata rata rata approved these changes

@drewhagen drewhagen Awaiting requested review from drewhagen

@nate-double-u nate-double-u Awaiting requested review from nate-double-u

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. language/en Issues or PRs related to English language size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AkihiroSuda @rata @k8s-ci-robot