Uploaded image for project: 'Red Hat OpenShift Control Planes'
  1. Red Hat OpenShift Control Planes
  2. CNTRLPLANE-1544

Control Plane Pods in User Namespaces

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • Control Plane Pods in User Namespaces
    • None
    • OCPSTRAT-1735Control Plane Pods in User Namespaces
    • 67% To Do, 33% In Progress, 0% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Feature Overview

      Control Plane containers to have isolated permissions to protect the host and each other from potential security threats. 

      In OpenShift 4.17 there's a new feature that allows running containers in Linux user namespaces (https://docs.openshift.com/container-platform/4.17/nodes/pods/nodes-pods-user-namespaces.html). 

      This feature would enable the control plane containers to leverage this functionality to further protect the host.

      Why Is User Namespace Isolation Important?

      Default Setup: Containers usually run in the host's root namespace, sometimes required for specific features.

      Security Risk: Running in the host namespace can allow container breakouts, where a container process could access or modify files on the host or other containers.

      OCPSTRAT-1654 adds full support to user namespaces in pods.

       

      Kubernetes v1.33 (OpenShift 4.20) includes this by default https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/

              rh-ee-okupka Ondřej Kupka
              racedoro@redhat.com Ramon Acedo
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: