Epic Goal

• Deliver end-to-end support for the Kubernetes hostUsers field within Tekton’s PodTemplate and execution flow, enabling users to configure Kubernetes-native user namespace isolation on OCP 4.20+ without relying on legacy CRI-O–specific annotations.

Why is this important?

• Restores compatibility for workloads that rely on user namespace isolation (e.g., buildah-ns).

• Aligns Tekton Pipelines with OCP 4.20’s Kubernetes-native model and removes reliance on CRI-O–specific annotations.

• Improves security by allowing controlled user-namespace remapping.

• Unblocks partner and customer pipelines dependent on user-namespace behavior.

• Essential for ensuring Tekton runs consistently across Kubernetes and OCP versions.

Scenarios

1. A TaskRun requires Kubernetes-native user namespace remapping to function correctly on OCP 4.20+.

1. A PipelineRun needs to explicitly disable host user namespace sharing by setting hostUsers: false.

1. Security-conscious workloads require non-root UID mappings enforced through user namespaces.

1. Migration from CRI-O legacy annotations to upstream Kubernetes fields.

Acceptance Criteria (Mandatory)

• hostUsers field is added to Tekton’s PodTemplate API.

• Merge logic and defaulting behavior are implemented and validated.

• Field is propagated correctly to generated PodSpecs for all TaskRuns/PipelineRuns.

• End-to-end tests cover propagation and runtime behavior (including hostUsers: false cases).

• CI is fully passing with automated tests.

• Documentation updated with examples and upgrade notes.

• Release Technical Enablement deliverables are completed.

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions::

1. …

Done Checklist

• Acceptance criteria are met
• Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
• User Journey automation is delivered
• Support and SRE teams are provided with enough skills to support the feature in production environment