Kubernetes v1.26: More Flexible Authentication for Container Registries
Kubernetes v1.26 introduces an exciting new feature: the general availability (GA) of Kubelet …
25.12.2022
ayedo Redaktion
•
•
2 Minuten Lesezeit
Kubernetes v1.25: Security with User Namespaces for Pods
Learn how user namespaces in Kubernetes v1.25 enhance pod security and enable secure workloads.
kubernetes
kubernetes-news
container
Kubernetes v1.25 introduces a significant new feature: support for user namespaces. This functionality allows for secure workloads in Kubernetes by restricting each pod to a limited set of available UIDs and GIDs on the system. This adds an additional layer of security to protect pods running on the same system.
What Changes for Developers/DevOps Teams?
With the new support for user namespaces, developers and DevOps teams can deploy more secure applications. Each pod runs in its own environment with unique IDs, reducing the risk of security incidents. In particular, it becomes possible to run workloads as root without compromising the host. This isolation is especially valuable in multi-tenant environments where different teams or applications operate on the same cluster.
Practical Examples or Use Cases
Imagine running an application that needs to operate as a root user. With user namespaces, you can map the root ID within the pod to a non-zero ID outside the container. This means the application within the container believes it is running as root, while from the host’s perspective, it operates with a regular, unprivileged ID. This ensures the application has the necessary permissions without endangering host security.
How to Enable User Namespaces
Currently, you need to enable support for user namespaces as it is disabled by default. To do this, set hostUsers to false in the pod specification:
apiVersion: v1
kind: Pod
spec:
hostUsers: false
containers:
- name: nginx
image: docker.io/nginx
Note that this feature is behind a feature gate. Enable the gate UserNamespacesStatelessPodsSupport before using the new feature. Additionally, the runtime environment must support user namespaces:
- containerd: Support is planned for version 1.7. More information can be found in issue #7063.
- CRI-O: Version 1.25 already supports user namespaces.
- Support for
cri-dockerdis currently not planned.
Get Involved
If you want to learn more about user namespaces or get involved with the community, you can reach SIG Node through various channels:
You can also contact us directly:
- GitHub / Slack: @rata @giuseppe
With the support of ayedo as an experienced Kubernetes partner, you are well-equipped to leverage the new capabilities of Kubernetes v1.25 and make your applications more secure.
Source: Kubernetes Blog
Ähnliche Artikel
Kubernetes 1.26: The Device Manager is Now Ready for Everyone!
Introduction With the release of Kubernetes 1.26, the Device Manager is now generally available! …
22.12.2022
Now Available: HostProcess Containers for Windows in Kubernetes 1.26
The long-awaited day has arrived: HostProcess containers, the Windows counterpart to Linux …
16.12.2022