DevConf.cz 2021

Namespaces are a fundamental building block of containers that provide isolation to avoid them interfering with each other. Linux supports different namespaces to isolate different system resources like network stack, process IDs, cgroups, etc.

User namespaces provide user IDs and group IDs isolation. A process can have different user and group IDs inside and outside of a user namespace. In particular, a process can be privileged (UID 0) inside a user namespace and have an unprivileged ID outside. User namespaces work together with other namespaces to allow a process to perform privileged operations in the namespaces it's running in without affecting other namespaces. For instance, a process can configure the network interface of the network namespace it's running in but not on other namespaces.

Running a process as root inside containers is a security risk, if such a process is able to break out of the container into the host, it can cause considerable damage as it'll be running as a privileged user there. User namespaces offer a solution for this problem making it possible to run processes as root in the containers while being non-root in the host. In this case, the effect of a process breaking into the host is more limited as it won't have root privileges.

User namespaces are supported in some container runtimes but Kubernetes doesn't support them yet. We have been working together with different communities to fill this gap by gathering use cases. We created a Kubernetes Enhancement Proposal (https://github.com/kubernetes/enhancements/pull/2101) with a plan to bring this support in the incoming Kubernetes releases. We have also implemented a prototype of this idea in Kubernetes and the containerd/cri runtime.

In this talk, I'll introduce user namespaces and how they can increase the security of a Kubernetes cluster. I'll explain how we are working with the community to bring this support to Kubernetes, the challenges we are facing to support volumes and how different approaches like shiftfs and idmapped mounts are trying to fix them.