Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-207

TP in 4.17 : Support User Namespaces in pods

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • Program Call
    • This introduces a big change to how kubernetes pods/containers can be run, and CEE should be made aware of how to configure and debug

      As a openshift admin i want to make sure my openshift is secure which include container and OS . I want to make sure user access to container or OS is given as per need so we can give enough privileges to user in container to do their work and prevent them escaping out to OS with their container privileges and do harm to the OS and other containers. For example a user with root privileges inside container does not necessarily need to have root privileges in OS.

      • TP in 4.17
      • GA targeted in 4.18

      More DetailsĀ 

      User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

              gausingh@redhat.com Gaurav Singh
              gausingh@redhat.com Gaurav Singh
              Giuseppe Scrivano
              Aruna Naik Aruna Naik
              Matthew Werner Matthew Werner
              Giuseppe Scrivano Giuseppe Scrivano
              Derrick Ornelas Derrick Ornelas
              Votes:
              10 Vote for this issue
              Watchers:
              41 Start watching this issue

                Created:
                Updated:
                Resolved: