Kubernetes Blog
Follow
Kubernetes v1.36: User Namespaces in Kubernetes are finally GA
Kubernetes v1.36 introduced General Availability support for
User Namespaces, a Linux-only feature enabling enhanced security
isolation for containerized workloads. This long-awaited milestone
allows "rootless" security isolation for Kubernetes applications.
A critical capability is running workloads with privileges yet
confined within the user namespace by setting hostUsers: false.
This makes certain capabilities, like CAP_NET_ADMIN, namespaced,
granting administrative power only over local container resources.
Previously, a process root within a container was also root on the
host, posing a significant security risk during breakouts.
The key enabler for this feature is ID-mapped mounts, which transparently
remap UIDs and GIDs at mount time without altering disk ownership.
This resolves performance issues related to volume ownership updates
that plagued earlier development stages.
Implementing user namespaces is simple: set hostUsers: false in the
Pod spec, requiring no changes to container images or complex
configuration. The feature leverages the same interface introduced
during the Alpha phase. This advancement represents years of cross-project
collaboration between Kubernetes SIG Node, container runtimes, and
the Linux kernel.