Kubernetes v1.36: User Namespa... Note

Kubernetes v1.36: User Namespaces in Kubernetes are finally GA

Kubernetes v1.36 introduced General Availability support for User Namespaces, a Linux-only feature enabling enhanced security isolation for containerized workloads. This long-awaited milestone allows "rootless" security isolation for Kubernetes applications. A critical capability is running workloads with privileges yet confined within the user namespace by setting hostUsers: false. This makes certain capabilities, like CAP_NET_ADMIN, namespaced, granting administrative power only over local container resources. Previously, a process root within a container was also root on the host, posing a significant security risk during breakouts. The key enabler for this feature is ID-mapped mounts, which transparently remap UIDs and GIDs at mount time without altering disk ownership. This resolves performance issues related to volume ownership updates that plagued earlier development stages. Implementing user namespaces is simple: set hostUsers: false in the Pod spec, requiring no changes to container images or complex configuration. The feature leverages the same interface introduced during the Alpha phase. This advancement represents years of cross-project collaboration between Kubernetes SIG Node, container runtimes, and the Linux kernel.