2727 - [ Regarding the previous implementation for volumes] ( #regarding-the-previous-implementation-for-volumes )
2828 - [ Pod Security Standards (PSS) integration] ( #pod-security-standards-pss-integration )
2929 - [ Unresolved] ( #unresolved )
30- - [ Pod Security Standards (PSS)] ( #pod-security-standards-pss )
3130 - [ Test Plan] ( #test-plan )
3231 - [ Prerequisite testing updates] ( #prerequisite-testing-updates )
3332 - [ Unit tests] ( #unit-tests )
@@ -464,27 +463,24 @@ components that implement the interface.
464463
465464[ Pod Security Standards] ( https://k8s.io/docs/concepts/security/pod-security-standards )
466465define three different policies to broadly cover the whole security spectrum of
467- Kubernetes, while the User Namespaces feature should integrate into them. This
468- will happen only if the feature is graduated to GA, which _ may_ result in
469- changing the ` Restricted ` profile to disallow host user namespaces for stateless
470- Pods.
466+ Kubernetes, while the User Namespaces feature should integrate into them.
471467
472468The Pod Security will relax in a controlled way for pods which enable user
473469namespaces. This behavior can be controlled by an API Server Feature Gate, which
474470allows an early opt-in for end users. The overall burden to ensure that all
475- nodes will honor user namespaces is on the cluster admin, though. The relaxation
476- in detail means, that if user namespaces are enabled, then the following fields
477- won't be restricted any more because they always have to refer to the user
478- inside the container:
479-
480- - ` spec.securityContext.runAsNonRoot `
481- - ` spec.containers[*].securityContext.runAsNonRoot `
482- - ` spec.initContainers[*].securityContext.runAsNonRoot `
483- - ` spec.ephemeralContainers[*].securityContext.runAsNonRoot `
484- - ` spec.securityContext.runAsUser `
485- - ` spec.containers[*].securityContext.runAsUser `
486- - ` spec.initContainers[*].securityContext.runAsUser `
487- - ` spec.ephemeralContainers[*].securityContext.runAsUser `
471+ nodes will honor user namespaces is on the cluster admin, though.
472+
473+ For ` baseline ` and ` restricted ` namespaces, if a pod has ` hostUsers ` set to false, then the fields ` runAsNonRoot ` can be set to false and
474+ ` runAsUser ` and ` runAsGroup ` can be set to any value for any ` securityContext ` in the pod (pod, container, initContainer, ephemeralContainer).
475+
476+ For ` baseline ` namespaces, pods with ` hostUsers ` set to false can set any value for the ` capabilities.add ` field,
477+ whereas normally in a ` baseline ` namespace a pod is restricted to adding certain capabilities.
478+
479+ The validation for capabilities can be relaxed in a ` baseline ` pod because capabilities
480+ are user namespaced in the linux kernel, and any pod does not have a seccomp profile (as baseline
481+ pods may not be required to, depending on the kubelet's ` seccompDefault ` configuration field)
482+ has access to the ` unshare ` syscall, allowing a user to create a user
483+ namespace in the pod, and gain the full set of capabilities within a user namespace.
488484
489485A serial test will be added to validate the functionality with the enabled
490486feature gate.
@@ -510,24 +506,6 @@ something else to this list:
510506 allows). Same applies for VM runtimes.
511507 UPDATE: Windows maintainers reviewed and [ this change looks good to them] [ windows-review ] .
512508
513- #### Pod Security Standards (PSS)
514-
515- The following security context fields have not been relaxed with respect to PSS
516- because of [ raised security concerns] ( https://github.com/kubernetes/kubernetes/pull/118760#discussion_r1373287637 ) :
517-
518- - ` spec.containers[*].securityContext.allowPrivilegeEscalation `
519- - ` spec.initContainers[*].securityContext.allowPrivilegeEscalation `
520- - ` spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation `
521- - ` spec.containers[*].securityContext.capabilities.drop `
522- - ` spec.initContainers[*].securityContext.capabilities.drop `
523- - ` spec.ephemeralContainers[*].securityContext.capabilities.drop `
524- - ` spec.containers[*].securityContext.capabilities.add `
525- - ` spec.initContainers[*].securityContext.capabilities.add `
526- - ` spec.ephemeralContainers[*].securityContext.capabilities.add `
527-
528- Further investigations will be done in future Kubernetes releases to revisit
529- them.
530-
531509### Test Plan
532510
533511<!--
0 commit comments