Allow setting `hostUsers` on pods

[especially-relative]

Welcome!

• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What do you want to achieve with this Chart ?

To adhere to restrictive cluster security policies, setting hostUsers on the pod spec should be possible.

k8s docs here: User Namespaces Docs. This reduces blast radius of a pod compromise, and many orgs have added a security policy to require that hostUsers be set to false.

In most cases this can be set to false with negligible impact on the workload. That being said, setting it to false by default would risk breaking some installations that mount in certain storage types that lack idmap support, or are using less common network configurations like setting hostNetwork.

Proposal

Add templating for setting hostUsers in the pod template, and leave it unset by default, then document it.

This is a very simple feature, if there is maintainer support I can throw together a quick PR.

[mloiseleur]

Reducing blast radius is often a good idea. Thanks for this proposal 👍.

A key configuration parameter like this one has only been available since K8s v1.33. Even if we prefer to be secure by default, maybe it's better to make it opt-in as a first step. We'll see during the review with the other maintainers.

You are welcome to open a PR. Please consider our contribution guide and also that we work hard to provide a good user experience.

=> Following upstream limitations, the Chart should fail when the user tries to enable incompatible parameters.

[jnoordsij]

I think adding support for configuring this is a great idea. I do however agree, or probably even strongly argue, it should definitely be opt-in: apart from it being relatively new and thus requiring a more recent K8S version for support, there's also quite a bit of restrictions on the cluster in general for this feature, see also https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#before-you-begin. Especially for managed clusters, some chart consumers might not be able to support it yet/soon.