KEP-127: Support User Namespaces

[mauriciovasquezbernal]

This PR adds the summary and motivation sections for a KEP proposing to support user namespaces.

This is not a new topic in Kubernetes as it has been discussed multiple times in the past. #127 was tracking the Support Node-Level User Namespaces Remapping design proposal. There was also a PR implementing that but it was never merged.

We want to continue pushing for this feature in Kubernetes, as a first step we are opening this PR that is mainly based on the existing design proposal. We'll continue updating the proposal to complete the KEP and we hope to open a follow up PR soon.

@rata @alban @sargun, @solarkennedy, @jigish

/cc @mrunalp
/sig node

[k8s-ci-robot]

Hi @mauriciovasquezbernal. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mauriciovasquezbernal
To complete the pull request process, please assign derekwaynecarr
You can assign the PR to them by writing /assign @derekwaynecarr in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-node/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sftim]

/ok-to-test

[AkihiroSuda]

Can we have another KEP for this in future? Or it won't be supported? (why?)

[mauriciovasquezbernal]

Definitely. Our plan is to scope this KEP to some specific use cases now and leave further improvements like that for the future.

[alban]

Suggested change

	together to make containers secure. User namespaces is one such features that
	together to make containers secure. User namespaces is one such feature that

[alban]

I suggest to distinguish the rationale for per pod mappings and per container mappings:

Suggested change

	- To have different uid/gid mappings per pod/container. All pods/containers
	running in a node share a common user namespace remapping configuration.
	- To have different uid/gid mappings for each pod. All pods running in a
	node share a common user namespace remapping configuration. There
	is interest in the community for having different mappings for each pod
	but for simplicity, this will not be specified in this initial KEP.
	- To have different uid/gid mappings per container. By Kubernetes
	design, all containers in a pod share the same network namespace.
	Additionally, Linux requires that sysfs can only be mounted in a
	container if the network namespace belongs to the current user
	namespace. It follows that we can't have a different user namespace
	for each container of the same pod.

[alban]

Suggested change

	- Remote volumes support e.g. NFS.
	- Remote volumes support e.g. NFS. There is interest in the community for
	supporting volumes such as NFS. However, this would increase the
	complexity significantly to consider remapping ids for volumes. So this is
	kept out of scope from this KEP and can be discussed in a future KEP
	instead.

[mauriciovasquezbernal]

New PR with complete proposal #2101.