NatronTech Logo
Security

User Namespaces

Availability
Extended tier
Stage
Experimental
Requires
KubernetesSecurity

User Namespaces

Since Kubernetes v1.33 (and containerd >2.X), the User Namespaces feature can be used to isolate users in the container from users in the host.

Overview

User namespaces is a Linux feature that allows mapping users in the container to different users in the host.

  • Impact: A process running as root inside the container can be mapped to a non-privileged user on the host.
  • Opt-in: Set pod.spec.hostUsers: false.
apiVersion: v1
kind: Pod
metadata:
  name: userns
spec:
  hostUsers: false
  containers:
  - name: shell
    image: debian
    command: ["sleep", "infinity"]

Important Notes / Limitations

  • NFS: Does not support idmapped mounts (ext4, tmpfs, overlayfs are supported).
  • Host Namespaces: If hostUsers: false, you CANNOT use hostNetwork: true, hostIPC: true, or hostPID: true.
  • Volume Devices: No raw block volumes (volumeDevices).

Security Considerations

We recommend always using hostUsers: false for containers running as "root" (e.g., operators).

This limits the blast radius of a container escape. Capabilities like CAP_SYS_MODULE or CAP_SYS_ADMIN become void or limited to the user namespace, providing a significant security boost.

Security Context & PSS

Previous Page

External Secrets

Next Page

On this page

User NamespacesOverviewImportant Notes / LimitationsSecurity Considerations