Kubernetes v1.36: User Namespaces in Kubernetes are finally GA
13 hours ago
- #Containerization
- #Security
- #Kubernetes
- User Namespaces support in Kubernetes reaches GA with v1.36, a Linux-only feature.
- Enables rootless security isolation and allows workloads with privileges to be confined in user namespaces.
- Setting hostUsers: false makes capabilities like CAP_NET_ADMIN namespaced, granting container-local admin power.
- Addresses security risks by isolating container processes from host UID 0, mitigating container breakout threats.
- Uses ID-mapped mounts (Linux 5.12+) to transparently remap UIDs/GIDs, eliminating expensive chown operations.
- Implementation is straightforward via hostUsers: false in Pod spec, requiring no image changes.