openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

GA User Name Space

Browse Source
This commit is contained in:
Michael Burke
2024-11-14 09:46:16 -05:00
committed by openshift-cherrypick-robot
parent 0b4900ed4b
commit 76c82091a7
3 changed files with 103 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
nodes/pods/nodes-pods-user-namespaces.adoc
View File

@@ -8,15 +8,10 @@ toc::[]
Linux user namespaces allow administrators to isolate the container user and group identifiers (UIDs and GIDs) so that a container can have a different set of permissions in the user namespace than on the host system where it is running. This allows containers to run processes with full privileges inside the user namespace, but the processes can be unprivileged for operations on the host machine.
By default, a container runs in the host system's root user namespace. Running a container in the host user namespace can be useful when the container needs a feature that is available only in that user namespace. However, it introduces security concerns, such as the possibility of container breakouts, in which a process inside a container breaks out onto the host where the process can access or modify files on the host or in other containers.
By default, a container runs in the host user namespace. Running a container in the host user namespace can be useful when the container needs a feature that is available only in the host namespace. However, running pods in the host namespace introduces security concerns, such as the possibility of container breakouts, in which a process inside another container breaks out onto the host where the process can access or modify files on the host or in your containers.
Running containers in individual user namespaces can mitigate container breakouts and several other vulnerabilities that a compromised container can pose to other pods and the node itself.
You can configure Linux user namespace use by setting the `hostUsers` parameter to `false` in the pod spec, as shown in the following procedure.
:FeatureName: Support for Linux user namespaces
include::snippets/technology-preview.adoc[]
// The following include statements pull in the module files that comprise
// the assembly. Include any combination of concept, procedure, or reference
// modules required to cover the user story. You can also include other
@@ -24,3 +19,9 @@ include::snippets/technology-preview.adoc[]
include::modules/nodes-pods-user-namespaces-configuring.adoc[leveloffset=+1]
[role="_additional-resources"]
.Additional resources
* xref:../../authentication/managing-security-context-constraints.adoc#configuring-internal-oauth[Managing security context constraints]
* xref:../../cli_reference/openshift_cli/administrator-cli-commands.adoc#cli-administrator-commands[OpenShift CLI administrator command reference]