Isolate the Users! Supporting User Namespaces in K8s for Increased Security
CNCF [Cloud Native Computing Foundation] via YouTube
Overview
Explore user namespaces in Kubernetes for enhanced security in this conference talk. Learn about the risks of running processes as root inside containers and discover how Linux's user namespaces can mitigate these risks by isolating user and group IDs. Delve into the ongoing efforts to implement user namespace support in Kubernetes, including the Kubernetes Enhancement Proposal (KEP-127) and prototype implementations. Understand the challenges faced, particularly with volumes, and examine potential solutions like shiftfs and idmapped mounts. Gain insights into ID mapping modes, comparisons, and see a demonstration of the concept in action. Discover the next steps in bringing this crucial security feature to Kubernetes clusters.
Syllabus
Introduction
The Problem
Mitigations
What are username spaces
ID mapping
Isolate capability
Example
History
Challenges
Solution
ID Mapping Modes
Comparison
Demonstration
Next steps
Taught by
CNCF [Cloud Native Computing Foundation]