Uploaded image for project: 'Container Tools'
  1. Container Tools
  2. RUN-1560

User namespace support in k8s for stateless pods (upstream work)

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Undefined Undefined
    • openshift-4.17
    • None
    • None
    • None
    • User namespace support in k8s
    • Upstream
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-207 - TP in 4.17 : Support User Namespaces in pods
    • OCPSTRAT-207TP in 4.17 : Support User Namespaces in pods
    • rhel-sst-container-tools
    • Hide

      The KEP was approved upstream and we started to submit the changes needed to complete the first phase

      Show
      The KEP was approved upstream and we started to submit the changes needed to complete the first phase

      Epic Goal

      • run pods in a separate user namespace for improved security

      Why is this important?

      It increases separation among pods, as each pod runs in a separate namespace with unique user IDs

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      1. upstream KEP: https://github.com/kubernetes/enhancements/issues/127
      2. idmapped support in the RHEL kernel: https://bugzilla.redhat.com/show_bug.cgi?id=2080319

      Open questions::

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

          1.
          Docs Tracker Sub-task Closed Undefined Unassigned
          2.
          PX Tracker Sub-task Closed Undefined Unassigned
          3.
          QE Tracker Sub-task Closed Undefined Unassigned
          4.
          TE Tracker Sub-task Closed Undefined Unassigned

              gscrivan@redhat.com Giuseppe Scrivano
              umohnani Urvashi Mohnani
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: