[CRW-8320] Enable Support for Nested Containers - Red Hat Issue Tracker

Type: Feature Request
Resolution: Unresolved
Priority: Major
Fix Version/s: 3.x
Affects Version/s: None
Component/s: Team B: DevWorkspace + Operator, Web Terminal + Operator, editors/IDEs + built-in vscode extensions, Universal Developer Image, machine-exec, dev environment config
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

OCP 4.19 adds the ability to run secure, nested containers in a Pod.

Reference - https://github.com/cgruver/ocp-4-18-nested-container-tech-preview

The relevant feature gates are -

UserNamespacesSupport
UserNamespacesPodSecurityStandards
ProcMountType

By enabling the new capabilities in OpenShift Dev Spaces we will provide users with a full podman and podman-compose capability inside of a workspace.

Changes needed to Dev Spaces -

Ability to detect OCP version 4.19+
Feature toggle to enable nested containers for workspaces on OCP 4.19+
SCC that implements the constraints necessary for user namespaces
Changes to UDI images to use a different pattern for subuid and subgid
Changes to DevWorkspace Operator to create workspace Deployments with the correct securityContext settings

Considerations for design -

Processes in containers can now run with predictable uid/gid
Need to block enabling on OCP < 4.19
It is now possible to run containers as root without security implications

Example SCC -

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: nested-podman-scc
priority: null
allowPrivilegeEscalation: true
allowedCapabilities:
- SETUID
- SETGID
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 65534
runAsUser:
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
  seLinuxOptions:
    type: container_engine_t
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 65534
userNamespaceLevel: RequirePodLevel

Significant changes -

`userNamespaceLevel: RequirePodLevel ` - Forces the Pod to use usernamespaces for uid/gid instead of host uid/gid
`runAsUser:, fsGroup:, supplementalGroups:` - Allows the workspace containers to run as known uid/gid
`seLinuxOptions:` - uses the `container_engine_t` selinux type which is compatible with usernamespaces.

Example Pod -

apiVersion: v1
kind: Pod
metadata:
  name: nested-podman
  namespace: podman-demo
  annotations:
    io.kubernetes.cri-o.Devices: "/dev/fuse,/dev/net/tun"
    openshift.io/scc: nested-podman-scc
spec:
  hostUsers: false
  containers:
  - name: nested-podman
    image: quay.io/cgruver0/che/workspace-base:latest
    securityContext:
      allowPrivilegeEscalation: true
      procMount: Unmasked
      capabilities:
        add:
        - "SETUID"
        - "SETGID"

Assignee:: Anatolii Bazko

Reporter:: Charro Gruver

Votes:: 2 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/03/13 2:20 PM

Updated:: 2025/03/26 3:48 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates

Hide