Skip to content

Commit afd8051

Browse files
authored
Merge pull request #49749 from AkihiroSuda/userns-65536
user-namespaces: add idsPerPod configuration
2 parents 4df1db9 + f39cd36 commit afd8051

File tree

1 file changed

+25
-4
lines changed

1 file changed

+25
-4
lines changed

content/en/docs/concepts/workloads/pods/user-namespaces.md

Lines changed: 25 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -86,14 +86,17 @@ to guarantee that no two pods on the same node use the same mapping.
8686
The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always
8787
refer to the user inside the container.
8888

89-
The valid UIDs/GIDs when this feature is enabled is the range 0-65535. This
90-
applies to files and processes (`runAsUser`, `runAsGroup`, etc.).
89+
By default, the valid UIDs/GIDs when this feature is enabled is the range 0-65535.
90+
This applies to files and processes (`runAsUser`, `runAsGroup`, etc.).
9191

9292
Files using a UID/GID outside this range will be seen as belonging to the
9393
overflow ID, usually 65534 (configured in `/proc/sys/kernel/overflowuid` and
9494
`/proc/sys/kernel/overflowgid`). However, it is not possible to modify those
9595
files, even by running as the 65534 user/group.
9696

97+
If the range 0-65535 is extended with a configuration knob, the aforementioned
98+
restrictions apply to the extended range.
99+
97100
Most applications that need to run as root but don't access other host
98101
namespaces or resources, should continue to run fine without any changes needed
99102
if user namespaces is activated.
@@ -177,8 +180,6 @@ to the `kubelet` user:
177180
configuration.
178181

179182
* The subordinate ID count must be a multiple of 65536
180-
(for Kubernetes {{< skew currentVersion >}} the subordinate ID count for each Pod is hard-coded
181-
to 65536).
182183

183184
* The subordinate ID count must be at least `65536 x <maxPods>` where `<maxPods>`
184185
is the maximum number of pods that can run on the node.
@@ -209,6 +210,26 @@ kubelet:65536:7208960
209210
[CVE-2021-25741]: https://github.com/kubernetes/kubernetes/issues/104980
210211
[shadow-utils]: https://github.com/shadow-maint/shadow
211212

213+
## ID count for each of Pods
214+
Starting with Kubernetes v1.33, the ID count for each of Pods can be set in
215+
[`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/).
216+
217+
```yaml
218+
apiVersion: kubelet.config.k8s.io/v1beta1
219+
kind: KubeletConfiguration
220+
userNamespaces:
221+
idsPerPod: 1048576
222+
```
223+
224+
The value of `idsPerPod` (uint32) must be a multiple of 65536.
225+
The default value is 65536.
226+
This value only applies to containers created after the kubelet was started with
227+
this `KubeletConfiguration`.
228+
Running containers are not affected by this config.
229+
230+
In Kubernetes prior to v1.33, the ID count for each of Pods was hard-coded to
231+
65536.
232+
212233
## Integration with Pod security admission checks
213234

214235
{{< feature-state state="alpha" for_k8s_version="v1.29" >}}

0 commit comments

Comments
 (0)