-
Feature
-
Resolution: Done
-
Critical
-
None
-
Strategic Product Work
-
False
-
-
False
-
0% To Do, 0% In Progress, 100% Done
-
0
-
Program Call
-
-
-
This introduces a big change to how kubernetes pods/containers can be run, and CEE should be made aware of how to configure and debug
-
As a openshift admin i want to make sure my openshift is secure which include container and OS . I want to make sure user access to container or OS is given as per need so we can give enough privileges to user in container to do their work and prevent them escaping out to OS with their container privileges and do harm to the OS and other containers. For example a user with root privileges inside container does not necessarily need to have root privileges in OS.
- TP in 4.17
- GA targeted in 4.18
More DetailsĀ
User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.
- blocks
-
RFE-3266 Leverage /dev/fuse in unprivileged containers within OpenShift
- Accepted
-
OCPSTRAT-198 Secure-by-default image builds
- New
-
OCPSTRAT-925 Add ProcMount option GA in 4.18
- New
- is related to
-
RFE-3254 Support User Namespaces
- Accepted
-
OCPSTRAT-198 Secure-by-default image builds
- New
- relates to
-
AUTH-324 User-namespace-aware SCC
- Closed
-
RFE-4517 Add Support for Nested Containers in DevSpaces
- Accepted
- links to