Isolate the Users! Supporting User Namespaces in K8s for Increased Security

The presentation discusses the implementation of username spaces in Kubernetes clusters to improve security and isolation.

• Username spaces can be used to isolate containers and prevent vulnerabilities like the runC vulnerability.
• There are two modes of implementing username spaces: pod mode and cluster mode.
• Pod mode offers better isolation between containers running on the same node, while cluster mode allows for a larger range of IDs to be assigned to each namespace or service account.
• The upcoming Linux kernel feature, item up, will provide a solution for duplicate snapshots and volume sharing issues.
• The pod mode is a good candidate for implementation due to its support for high units and path isolation.

The presenter demonstrated how username spaces can protect against the runC vulnerability by using a vulnerable runC binary and showing how it can be exploited without username spaces, but prevented with username spaces.

Running a process as root inside containers is a security risk: if such a process is able to break out of the container into the host, it can cause considerable damage as it will be running as a privileged user there. The good news is that Linux has a solution for this problem: user namespaces isolate user and group IDs, so a process running as root in a container runs as non-root in the host. The bad news is that Kubernetes doesn’t yet support user namespaces. So, we created a Kubernetes Enhancement Proposal (KEP-127) with a plan to bring this support to a future release. We also implemented a prototype of this idea in Kubernetes and containerd. In this talk, I’ll introduce user namespaces and how they can increase the security of a Kubernetes cluster. I’ll explain how we are working with the community to bring this support to Kubernetes, the challenges we are facing, in particular with volumes, and how different approaches like shiftfs and idmapped mounts are trying to fix them.