Kubernetes v1.33: User Namespaces enabled by default!
Kubernetes v1.33 now enables user namespaces by default, enhancing pod security. User namespaces, a Linux kernel feature distinct from Kubernetes namespaces, isolate container UIDs and GIDs from the host. This isolation prevents lateral movement between containers and increases host security even if a container escapes. Enabling user namespaces allows running applications requiring privileged operations without granting full root access on the host. Pods opt into user namespaces by setting hostUsers: false in the pod specification. The functionality requires file systems supporting idmap mounts, a Linux kernel feature simplifying UID/GID mapping. While a kernel version 6.3 or higher is recommended for full support, older kernels may work with limitations. User namespaces mitigate numerous CVEs by preventing root privileges on the host even if a container is compromised. This significantly improves security by limiting the impact of container escapes and enhancing overall system protection. Further information and resources are available for deeper understanding and implementation.
hostUsers: falsein the pod specification. The functionality requires file systems supporting idmap mounts, a Linux kernel feature simplifying UID/GID mapping. While a kernel version 6.3 or higher is recommended for full support, older kernels may work with limitations. User namespaces mitigate numerous CVEs by preventing root privileges on the host even if a container is compromised. This significantly improves security by limiting the impact of container escapes and enhancing overall system protection. Further information and resources are available for deeper understanding and implementation.