Feature Overview (aka. Goal Summary)  

Control Plane containers to have isolated permissions to protect the host and each other from potential security threats. 

In OpenShift 4.17 there's a new feature that allows running containers in Linux user namespaces (https://docs.openshift.com/container-platform/4.17/nodes/pods/nodes-pods-user-namespaces.html). 

This feature would enable the control plane containers to leverage this functionality to further protect the host.

Why Is User Namespace Isolation Important?

Default Setup: Containers usually run in the host's root namespace, sometimes required for specific features.

Security Risk: Running in the host namespace can allow container breakouts, where a container process could access or modify files on the host or other containers.

OCPSTRAT-1654 adds full support to user namespaces in pods.

Kubernetes v1.33 (OpenShift 4.20) includes this by default https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/