KubeCon + CloudNativeCon Europe 2021 Virtual

Running a process as root inside containers is a security risk: if such a process is able to break out of the container into the host, it can cause considerable damage as it will be running as a privileged user there. The good news is that Linux has a solution for this problem: user namespaces isolate user and group IDs, so a process running as root in a container runs as non-root in the host. The bad news is that Kubernetes doesn’t yet support user namespaces. So, we created a Kubernetes Enhancement Proposal (KEP-127) with a plan to bring this support to a future release. We also implemented a prototype of this idea in Kubernetes and containerd. In this talk, I’ll introduce user namespaces and how they can increase the security of a Kubernetes cluster. I’ll explain how we are working with the community to bring this support to Kubernetes, the challenges we are facing, in particular with volumes, and how different approaches like shiftfs and idmapped mounts are trying to fix them.