@@ -86,14 +86,17 @@ to guarantee that no two pods on the same node use the same mapping.
86
86
The ` runAsUser ` , ` runAsGroup ` , ` fsGroup ` , etc. fields in the ` pod.spec ` always
87
87
refer to the user inside the container.
88
88
89
- The valid UIDs/GIDs when this feature is enabled is the range 0-65535. This
90
- applies to files and processes (` runAsUser ` , ` runAsGroup ` , etc.).
89
+ By default, the valid UIDs/GIDs when this feature is enabled is the range 0-65535.
90
+ This applies to files and processes (` runAsUser ` , ` runAsGroup ` , etc.).
91
91
92
92
Files using a UID/GID outside this range will be seen as belonging to the
93
93
overflow ID, usually 65534 (configured in ` /proc/sys/kernel/overflowuid ` and
94
94
` /proc/sys/kernel/overflowgid ` ). However, it is not possible to modify those
95
95
files, even by running as the 65534 user/group.
96
96
97
+ If the range 0-65535 is extended with a configuration knob, the aforementioned
98
+ restrictions apply to the extended range.
99
+
97
100
Most applications that need to run as root but don't access other host
98
101
namespaces or resources, should continue to run fine without any changes needed
99
102
if user namespaces is activated.
@@ -177,8 +180,6 @@ to the `kubelet` user:
177
180
configuration.
178
181
179
182
* The subordinate ID count must be a multiple of 65536
180
- (for Kubernetes {{< skew currentVersion >}} the subordinate ID count for each Pod is hard-coded
181
- to 65536).
182
183
183
184
* The subordinate ID count must be at least ` 65536 x <maxPods> ` where ` <maxPods> `
184
185
is the maximum number of pods that can run on the node.
@@ -209,6 +210,26 @@ kubelet:65536:7208960
209
210
[ CVE-2021-25741 ] : https://github.com/kubernetes/kubernetes/issues/104980
210
211
[ shadow-utils ] : https://github.com/shadow-maint/shadow
211
212
213
+ ## ID count for each of Pods
214
+ Starting with Kubernetes v1.33, the ID count for each of Pods can be set in
215
+ [ ` KubeletConfiguration ` ] ( /docs/reference/config-api/kubelet-config.v1beta1/ ) .
216
+
217
+ ``` yaml
218
+ apiVersion : kubelet.config.k8s.io/v1beta1
219
+ kind : KubeletConfiguration
220
+ userNamespaces :
221
+ idsPerPod : 1048576
222
+ ` ` `
223
+
224
+ The value of ` idsPerPod` (uint32) must be a multiple of 65536.
225
+ The default value is 65536.
226
+ This value only applies to containers created after the kubelet was started with
227
+ this `KubeletConfiguration`.
228
+ Running containers are not affected by this config.
229
+
230
+ In Kubernetes prior to v1.33, the ID count for each of Pods was hard-coded to
231
+ 65536.
232
+
212
233
# # Integration with Pod security admission checks
213
234
214
235
{{< feature-state state="alpha" for_k8s_version="v1.29" >}}
0 commit comments