Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-207

Support User Namespaces in pods

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-16OpenShift - Kubernetes and Core Platform
    • 60
    • 60% 60%
    • 0
    • 0
    • Program Call

    Description

      As a openshift admin i want to make sure my openshift is secure which include container and OS . I want to make sure user access to container or OS is given as per need so we can give enough privileges to user in container to do their work and prevent them escaping out to OS with their container privileges and do harm to the OS and other containers  . example a user with root privileges inside container does not nesserty need to have root privileges in OS .

       

      More Details 

      User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

      Attachments

        Issue Links

          blocks

          Feature Request - Feature requests from customers and/or users RFE-3266 Leverage /dev/fuse in unprivileged containers within OpenShift

          • Undefined - Priority not specified.
          • Accepted

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-198 Secure-by-default image builds

          • Critical - To be worked on immediately following BLOCKER issues.
          • New

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-925 Add ProcMount option

          • Undefined - Priority not specified.
          • New
          is related to

          Feature Request - Feature requests from customers and/or users RFE-3254 Support User Namespaces

          • Undefined - Priority not specified.
          • Accepted
          relates to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. AUTH-324 User-namespace-aware SCC

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • To Do

          Feature Request - Feature requests from customers and/or users RFE-4517 Add Support for Nested Containers in DevSpaces

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Accepted

          Activity

            People

              gausingh@redhat.com Gaurav Singh
              gausingh@redhat.com Gaurav Singh
              Giuseppe Scrivano
              Matthew Werner Matthew Werner
              Giuseppe Scrivano Giuseppe Scrivano
              Derrick Ornelas Derrick Ornelas
              Votes:
              8 Vote for this issue
              Watchers:
              27 Start watching this issue

              Dates

                Created:
                Updated: