Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-207

TP in 4.17 : Support User Namespaces in pods

XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • Program Call
    • This introduces a big change to how kubernetes pods/containers can be run, and CEE should be made aware of how to configure and debug

      As a openshift admin i want to make sure my openshift is secure which include container and OS . I want to make sure user access to container or OS is given as per need so we can give enough privileges to user in container to do their work and prevent them escaping out to OS with their container privileges and do harm to the OS and other containers. For example a user with root privileges inside container does not necessarily need to have root privileges in OS.

      • TP in 4.17
      • GA targeted in 4.18

      More DetailsĀ 

      User namespaces isolate security-related identifiers and attributes, in particular, user IDs and group IDs, the root directory, keys, and capabilities. A process's user and group IDs can be different inside and outside a user namespace. In particular, a process can have a normal unprivileged user ID outside a user namespace while at the same time having a user ID of 0 inside the namespace; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace.

            gausingh@redhat.com Gaurav Singh
            gausingh@redhat.com Gaurav Singh
            Giuseppe Scrivano
            Aruna Naik Aruna Naik
            Matthew Werner Matthew Werner
            Giuseppe Scrivano Giuseppe Scrivano
            Derrick Ornelas Derrick Ornelas
            Votes:
            10 Vote for this issue
            Watchers:
            41 Start watching this issue

              Created:
              Updated:
              Resolved: