Merge pull request #41908 from kinvolk/rata/userns-1.28

Doc update for userns in 1.28
kubernetes · Aug 8, 2023 · b23511b · b23511b
2 parents a2cf620 + c250efb
commit b23511b
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 26 deletions.
diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@@ -46,19 +46,22 @@ tmpfs, Secrets use a tmpfs, etc.)
 Some popular filesystems that support idmap mounts in Linux 6.3 are: btrfs,
 ext4, xfs, fat, tmpfs, overlayfs.
 
-<!-- When merging this with the dev-1.27 branch conflicts will arise. The text
-as it is in the dev-1.27 branch should be used. -->
 In addition, support is needed in the 
 {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}
-to use this feature with Kubernetes stateless pods:
+to use this feature with Kubernetes pods:
 
 * CRI-O: version 1.25 (and later) supports user namespaces for containers.
 
-Please note that containerd v1.7 supports user namespaces for containers,
-compatible with Kubernetes {{< skew currentPatchVersion >}}. It should not be used
-with Kubernetes 1.27 (and later).
+containerd v1.7 is not compatible with the userns support in Kubernetes v1.27 to v{{< skew latestVersion >}}.
+Kubernetes v1.25 and v1.26 used an earlier implementation that **is** compatible with containerd v1.7,
+in terms of userns support.
+If you are using a version of Kubernetes other than {{< skew currentVersion >}},
+check the documentation for that version of Kubernetes for the most relevant information.
+If there is a newer release of containerd than v1.7 available for use, also check the containerd
+documentation for compatibility information.
 
-Support for this in [cri-dockerd is not planned][CRI-dockerd-issue] yet.
+You can see the status of user namespaces support in cri-dockerd tracked in an [issue][CRI-dockerd-issue]
+on GitHub.
 
 [CRI-dockerd-issue]: https://github.com/Mirantis/cri-dockerd/issues/74
 
@@ -72,7 +75,7 @@ A pod can opt-in to use user namespaces by setting the `pod.spec.hostUsers` fiel
 to `false`.
 
 The kubelet will pick host UIDs/GIDs a pod is mapped to, and will do so in a way
-to guarantee that no two stateless pods on the same node use the same mapping.
+to guarantee that no two pods on the same node use the same mapping.
 
 The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always
 refer to the user inside the container.
@@ -89,7 +92,7 @@ Most applications that need to run as root but don't access other host
 namespaces or resources, should continue to run fine without any changes needed
 if user namespaces is activated.
 
-## Understanding user namespaces for stateless pods
+## Understanding user namespaces for pods {#pods-and-userns}
 
 Several container runtimes with their default configuration (like Docker Engine,
 containerd, CRI-O) use Linux namespaces for isolation. Other technologies exist
@@ -159,15 +162,6 @@ allowed to set any of:
  * `hostIPC: true`
  * `hostPID: true`
 
-The pod is allowed to use no volumes at all or, if using volumes, only these
-volume types are allowed:
-
- * configmap
- * secret
- * projected
- * downwardAPI
- * emptyDir
-
 ## {{% heading "whatsnext" %}}
 
 * Take a look at [Use a User Namespace With a Pod](/docs/tasks/configure-pod-container/user-namespaces/)
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -205,7 +205,8 @@ For a reference to old feature gates that are removed, please refer to
 | `TopologyManagerPolicyOptions` | `false` | Alpha | 1.26 | 1.27 |
 | `TopologyManagerPolicyOptions` | `true` | Beta | 1.28 | |
 | `UnknownVersionInteroperabilityProxy` | `false` | Alpha | 1.28 | |
-| `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | |
+| `UserNamespacesStatelessPodsSupport` | `false` | Alpha | 1.25 | 1.27 |
+| `UserNamespacesSupport` | `false` | Alpha | 1.28 | |
 | `ValidatingAdmissionPolicy` | `false` | Alpha | 1.26 | |
 | `VolumeCapacityPriority` | `false` | Alpha | 1.21 | - |
 | `WatchList` | false | Alpha | 1.27 | |
@@ -774,7 +775,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `UnknownVersionInteroperabilityProxy`: Proxy resource requests to the correct peer kube-apiserver when
   multiple kube-apiservers exist at varied versions.
   See [Mixed version proxy](/docs/concepts/architecture/mixed-version-proxy/) for more information.
-- `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods.
+- `UserNamespacesStatelessPodsSupport`: Enable user namespace support for stateless Pods. This flag was renamed on newer releases to `UserNamespacesSupport`.
+- `UserNamespacesSupport`: Enable user namespace support for Pods.
 - `ValidatingAdmissionPolicy`: Enable [ValidatingAdmissionPolicy](/docs/reference/access-authn-authz/validating-admission-policy/) support for CEL validations be used in Admission Control.
 - `VolumeCapacityPriority`: Enable support for prioritizing nodes in different
   topologies based on available PV capacity.

diff --git a/content/en/docs/tasks/configure-pod-container/user-namespaces.md b/content/en/docs/tasks/configure-pod-container/user-namespaces.md
@@ -9,9 +9,8 @@ min-kubernetes-server-version: v1.25
 <!-- overview -->
 {{< feature-state for_k8s_version="v1.25" state="alpha" >}}
 
-This page shows how to configure a user namespace for stateless pods. This
-allows to isolate the user running inside the container from the one in the
-host.
+This page shows how to configure a user namespace for pods. This allows you to
+isolate the user running inside the container from the one in the host.
 
 A process running as root in a container can run as a different (non-root) user
 in the host; in other words, the process has full privileges for operations
@@ -41,7 +40,14 @@ this is true when user namespaces are used.
 * The node OS needs to be Linux
 * You need to exec commands in the host
 * You need to be able to exec into pods
-* Feature gate `UserNamespacesStatelessPodsSupport` need to be enabled.
+* You need to enable the `UserNamespacesSupport`
+  [feature gate](/docs/reference/command-line-tools-reference/feature-gates/)
+
+{{< note >}}
+The feature gate to enable user namespaces was previously named
+`UserNamespacesStatelessPodsSupport`, when only stateless pods were supported.
+Only Kubernetes v1.25 through to v1.27 recognise `UserNamespacesStatelessPodsSupport`.
+{{</ note >}}
 
 The cluster that you're using **must** include at least one node that meets the
 [requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)
@@ -59,8 +65,8 @@ created without user namespaces.**
 
 ## Run a Pod that uses a user namespace {#create-pod}
 
-A user namespace for a stateless pod is enabled setting the `hostUsers` field of
-`.spec` to `false`. For example:
+A user namespace for a pod is enabled setting the `hostUsers` field of `.spec`
+to `false`. For example:
 
 {{< codenew file="pods/user-namespaces-stateless.yaml" >}}