Docker supports user namespaces, so that the uid namespace is completely separated from the host, enabling to effectively map root in the container to something else on the host.
Is there any support in Kubernetes for this feature to be enabled on the underlying docker engine? Will it work out of the box without issues?
So, it's not supported yet like Docker as per this (as alluded in the comments) and this.
However, if you are looking at isolating your workloads there are other alternatives (it's not the same, but the options are pretty good):
You can use Pod Security Policies and specifically you can use RunAsUser, together with AllowPrivilegeEscalation=false. Pod Security Policies can be tied to RBAC so you can restrict how users run their pods.
In other words, you can force your users to run pods only as 'youruser' and disable the privileged
flag in the pod securityContext
. You can also disable sudo
and in your container images.
Furthermore, you can drop Linux Capabilities, specifically CAP_SETUID
. And even more advanced use a seccomp profile, use SElinux or an Apparmor profile.
Other alternatives to run untrusted workloads (in alpha as of this writing):