Kubernetes v1.33: User Namespa... Note

Kubernetes v1.33: User Namespaces enabled by default!

Kubernetes v1.33 now enables user namespaces by default, enhancing pod security. User namespaces, a Linux kernel feature distinct from Kubernetes namespaces, isolate container UIDs and GIDs from the host. This isolation prevents lateral movement between containers and increases host security even if a container escapes. Enabling user namespaces allows running applications requiring privileged operations without granting full root access on the host. Pods opt into user namespaces by setting hostUsers: false in the pod specification. The functionality requires file systems supporting idmap mounts, a Linux kernel feature simplifying UID/GID mapping. While a kernel version 6.3 or higher is recommended for full support, older kernels may work with limitations. User namespaces mitigate numerous CVEs by preventing root privileges on the host even if a container is compromised. This significantly improves security by limiting the impact of container escapes and enhancing overall system protection. Further information and resources are available for deeper understanding and implementation.