Support User Namespaces in pods

[derekwaynecarr]

Enhancement Description

• One-line enhancement description (can be used as a release note): Add support for user namespaces in pods
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-node/127-user-namespaces/README.md
• Discussion Link: This was discussed in several sig-node meetings, most notable Nov 2 2021 and in this PR, that feedback was incorporated already by this KEP is taking: keps/127: Support User Namespaces #2101.
• Primary contact (assignee): @rata @giuseppe
• Responsible SIGs: sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): 1.25
  • Beta1 release target (x.y): 1.30
  • Beta2 release target (x.y): 1.33
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • v1.24 127: Add KEP for user namespaces support #3065
    • v1.25 KEP-127: Mark as implementable (target phase I for 1.25) #3275
    • v1.27 KEP-127: Support userns in stateless pods with idmap mounts #3811
    • v1.28 [KEP-127] Add Pod Security Standards to User Namespaces KEP #4044
    • v1.28 KEP-127: add support for stateful pods #4084
    • v1.28 KEP-127: Fix user namespaces feature gate name #4107
    • v1.28 KEP-127: Update feature gate name and update last-milestone for 1.29 #4147
  • Code (k/k) update PR(s):
    • v1.27 KEP-127: user namespace support for stateless pods kubernetes#116377
    • v1.28 apis: drop check for volumes with user namespaces kubernetes#118691
    • v1.29 KEP-127: Update PSS based on feature gate kubernetes#118760
  • Docs (k/website) update PR(s):
    • v1.27 Document user namespace changes in v1.27 (KEP-127) website#39860
    • v1.28 Doc update for userns in 1.28 website#41908 (v1.28)
    • v1.29 [KEP-127] Add documentation about user namespaces and PSS website#43803 (v1.29)
• Beta 1 （default off）
  • KEP (k/enhancements) update PR(s):
    • KEP-127: graduate to Beta for 1.30 #4439
  • Code (k/k) update PR(s):
    • KEP-127: require userns support from the CRI runtime before using it kubernetes#123216
    • KEP-127: kubelet: honor kubelet user mappings kubernetes#123593
    • KEP-127: Add UserNamespacesPodSecurityStandards e2e test kubernetes#121606
  • Docs (k/website) update(s):
    • Feature blog 1.30: user namespaces website#45354
    • User namespaces doc changes for 1.30 website#45178
• Beta 2 （default on）
  • KEP (k/enhancements) update PR(s):
    • KEP-127: update beta to be on by default #5118
    • KEP-127 (UserNS): allow customizing subids length  #5020
    • KEP-127: Update userns KEP template to latest and and answer more sections #5141
    • KEP 127: add a metric, describe an error kubelet will return, and target one more beta #5413
  • Code PRs for 1.33:
    • features: Enable user namespaces by default kubernetes#130138
    • kubelet: config: add userNamespaces.idsPerPod kubernetes#130028
    • Revert userns kernel check kubernetes#130243
    • Userns: Add e2e tests for custom kubelet mappings, skip on windows and minor improvements kubernetes#130726
    • Fix unit tests on windows kubernetes#130800
    • userns: Don't special-case windows for the kubelet userns mappings kubernetes#130820.
  • Doc PR for 1.33:
    • user-namespaces: add idsPerPod configuration website#49749

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[derekwaynecarr]

This work is being done by @pweil- and is reviewed by @derekwaynecarr, it is sponsored by @kubernetes/sig-node

[mdshuai]

@derekwaynecarr Could you help create a user story card for this feature?

[idvoretskyi]

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

[pweil-]

@derekwaynecarr can you confirm that this feature targets alpha for 1.5?

Yes, this feature is experimental only so it would be considered alpha.

[idvoretskyi]

@derekwaynecarr @pweil- can you confirm that this item targets beta in 1.6?