Virtual Event
May 4 - May 7
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2021 Virtual to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Central European Summer Time (UTC +2). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.

Back To Schedule
Friday, May 7 • 13:45 - 14:20
Isolate the Users! Supporting User Namespaces in K8s for Increased Security - Mauricio Vásquez, Kinvolk

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Running a process as root inside containers is a security risk: if such a process is able to break out of the container into the host, it can cause considerable damage as it will be running as a privileged user there. The good news is that Linux has a solution for this problem: user namespaces isolate user and group IDs, so a process running as root in a container runs as non-root in the host. The bad news is that Kubernetes doesn’t yet support user namespaces. So, we created a Kubernetes Enhancement Proposal (KEP-127) with a plan to bring this support to a future release. We also implemented a prototype of this idea in Kubernetes and containerd. In this talk, I’ll introduce user namespaces and how they can increase the security of a Kubernetes cluster. I’ll explain how we are working with the community to bring this support to Kubernetes, the challenges we are facing, in particular with volumes, and how different approaches like shiftfs and idmapped mounts are trying to fix them.

avatar for Mauricio Vásquez Bernal

Mauricio Vásquez Bernal

Software Engineer, Kinvolk
Mauricio works as a software engineer in the Kinvolk Labs team. He is interested in eBPF, Kubernetes, networking and tracing technologies. In the previous years Mauricio has worked implementing high performance virtual network functions with eBPF. In 2019 he focused on the OpenTelemetry... Read More →

Friday May 7, 2021 13:45 - 14:20 CEST
Security Theater
  Security + Identity + Policy