You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: keps/sig-node/127-user-namespaces/README.md
+31Lines changed: 31 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -198,6 +198,17 @@ impact a compromised pod can have on other pods and the node itself.
198
198
199
199
### Risks and Mitigations
200
200
201
+
An error in user namespaces manager can result in the kubelet failing
202
+
initialization. We will mitigate this by having extensive unit tests to test the
203
+
case of the feature gate disabled and enabled. We will also add e2e tests to
204
+
verify the kubelet works as expected when the feature is enabled (DONE).
205
+
206
+
The KEP needs changes in the CRI interface, high-level container runtimes
207
+
(containerd, cri-o), low-level container runtimes (runc, crun) and the Linux
208
+
kernel. To mitigate possible issues with the interaction of the components
209
+
involved, we will write integration tests in k8s, containerd, cri-o, runc, crun,
210
+
cri-tools and xfstests for the Linux bits. (DONE)
211
+
201
212
## Design Details
202
213
203
214
### Pod.spec changes
@@ -533,6 +544,7 @@ to implement this enhancement.
533
544
Based on reviewers feedback describe what additional tests need to be added prior
534
545
implementing this enhancement to ensure the enhancements have also solid foundations.
535
546
-->
547
+
None.
536
548
537
549
##### Unit tests
538
550
@@ -1375,6 +1387,25 @@ For each of them, fill in the following information by copying the below templat
1375
1387
1376
1388
###### What steps should be taken if SLOs are not being met to determine the problem?
1377
1389
1390
+
This KEP doesn't introduce new SLOs and doesn't result in increasing time taken
1391
+
by Kubernetes components.
1392
+
1393
+
As explained in "Will enabling / using this feature result in increasing time
1394
+
taken by any operations covered by existing SLIs/SLOs?" if the container runtime
1395
+
wants to support this in older kernels, it can have an impact on this SLO:
1396
+
1397
+
> Startup latency of schedulable pods, excluding time to pull images and run init containers, measured from pod creation timestamp to when all its containers are reported as started and observed via watch, measured as 99th percentile over last 5 minutes
1398
+
1399
+
At the time of writing, no container runtime supports user namespaces with old
1400
+
kernels, so no container runtime is affected. There is no plan to support that
1401
+
scenario either, at the time of writing.
1402
+
1403
+
However, if a container runtime supports userns with old kernels in the future,
1404
+
to determine if user namespaces are affecting the SLO it should be tested if
1405
+
pods without the pod.spec.hostUsers line are also affected. If they are not
1406
+
affected (IOW, pods without using user namespaces), then user namespaces seem to
1407
+
be the cause of the problem.
1408
+
1378
1409
## Implementation History
1379
1410
1380
1411
- 2016: First iterations of this KEP, but code never landed upstream.
0 commit comments