Kubernetes Posted September 13, 2023 Share Posted September 13, 2023 Kubernetes v1.25 introduced support for user namespaces for only stateless pods. Kubernetes 1.28 lifted that restriction, after some design changes were done in 1.27. The beauty of this feature is that: it is trivial to adopt (you just need to set a bool in the pod spec) doesn't need any changes for most applications improves security by drastically enhancing the isolation of containers and mitigating CVEs rated HIGH and CRITICAL. This post explains the basics of user namespaces and also shows: the changes that arrived in the recent Kubernetes v1.28 release a demo of a vulnerability rated as HIGH that is not exploitable with user namespaces the runtime requirements to use this feature what you can expect in future releases regarding user namespaces. View the full article Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.