content: Update user namespaces version requirements

Also, with the new implementation, the fsGroup was dropped. So removed the mention to those limitations. Signed-off-by: Rodrigo Campos <[email protected]>
kubernetes · Mar 27, 2023 · dba0dd1 · dba0dd1
1 parent 6a77308
commit dba0dd1
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 18 deletions.
diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@@ -32,19 +32,34 @@ mitigate some future vulnerabilities too.
 {{% thirdparty-content single="true" %}}
 <!-- if adding another runtime in the future, omit the single setting -->
 
-This is a Linux only feature. In addition, support is needed in the 
+This is a Linux-only feature and support is needed in Linux for idmap mounts on
+the filesystems used. This means:
+
+* The filesystem you use for `/var/lib/kubelet/pods/`, or the custom directory
+  you configure for this, needs idmap mount support.
+* All the filesystems used in the pod need support for idmap mounts.
+
+In practice this means you need at least Linux 6.3, as tmpfs started supporting
+idmap mounts in that version. This is usually needed as several Kubernetes
+features use tmpfs (the service account token that is mounted by default uses a
+tmpfs, Secrets use a tmpfs, etc.)
+
+Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
+ext4, xfs, fat, tmpfs, overlayfs.
+
+In addition, support is needed in the 
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
 to use this feature with Kubernetes stateless pods:
 
-* CRI-O: v1.25 has support for user namespaces.
+* CRI-O: version 1.25 (and later) supports user namespaces for containers.
 
-* containerd: support is planned for the 1.7 release. See containerd
-  issue [#7063][containerd-userns-issue] for more details.
+Please note that containerd v1.7 supports user namespaces for containers,
+compatible with Kubernetes {{< skew currentVersion >}}. It should not be used
+with Kubernetes 1.27 (and later).
 
 Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet.
 
 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
-[containerd-userns-issue]: https://github.com/containerd/containerd/issues/7063
 
 ## Introduction
 
@@ -152,13 +167,4 @@ volume types are allowed:
  * downwardAPI
  * emptyDir
 
-To guarantee that the pod can read the files of such volumes, volumes are
-created as if you specified `.spec.securityContext.fsGroup` as `0` for the Pod.
-If it is specified to a different value, this other value will of course be
-honored instead.
 
-As a by-product of this, folders and files for these volumes will have
-permissions for the group, even if `defaultMode` or `mode` to specific items of
-the volumes were specified without permissions to groups. For example, it is not
-possible to mount these volumes in a way that its files have permissions only
-for the owner.
diff --git a/content/en/docs/tasks/configure-pod-container/user-namespaces.md b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
@@ -43,16 +43,22 @@ this is true when user namespaces are used.
 * You need to be able to exec into pods
 * Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled.
 
-In addition, support is needed in the
-{{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to use this feature with Kubernetes stateless pods:
+The cluster that you're using **must** include at least one node that meets the
+[requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
+for using user namespaces with Pods.
 
-* CRI-O: v1.25 has support for user namespaces.
+If you have a mixture of nodes and only some of the nodes provide user namespace support for
+Pods, you also need to ensure that the user namespace Pods are
+([scheduled](/docs/concepts/scheduling-eviction/assign-pod-node/) to suitable nodes.
 
 Please note that **if your container runtime doesn't support user namespaces, the
 new `pod.spec` field will be silently ignored and the pod will be created without
 user namespaces.**
 
+Please note that containerd v1.7 supports user namespaces for containers,
+compatible with Kubernetes {{< skew currentVersion >}}. It should not be used
+with Kubernetes 1.27 (and later).
+
 <!-- steps -->
 
 ## Run a Pod that uses a user namespace {#create-pod}