Skip to content

Commit 8db8367

Browse files
mburke5678mburke5678
authored
Merge pull request #100744 from mburke5678/node-user-ns-known-issue-fixes
OSDOCS 16556 Linux User Namespace ID-mapped mount information fixes
2 parents 373704a + 499a19b commit 8db8367

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

nodes/pods/nodes-pods-user-namespaces.adoc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@ By default, a container runs in the host user namespace. Running a container in
1212

1313
Running containers in individual user namespaces can mitigate container breakouts and several other vulnerabilities that a compromised container can pose to other pods and the node itself.
1414

15-
When running a pod in an isolated user namespace, the UID/GID inside a pod container no longer matches the UID/GID on the host. In order for file system ownership to work correctly, the Linux kernel uses ID-mapped mounts, which translate user IDs between the container and the host at the virtual file system (VFS) layer.
15+
When running a pod in an isolated user namespace, the UID/GID inside a pod container no longer matches the UID/GID on the host. For file system ownership to work correctly, the Linux kernel uses ID-mapped mounts, which translate user IDs between the container and the host at the virtual file system (VFS) layer.
1616

1717
[IMPORTANT]
1818
====
19-
Not all file systems currently support ID-mapped mounts, such as Network File Systems (NFS) and other network/distributed file systems. Any pod that is using an NFS-backed persistent volume from a vendor that does not support ID-mapped mounts might experience access or permission issues when running in a user namespace. This behavior is not specific to {product-title}. It applies to all Kubernetes distributions from Kubernetes v1.33 onward.
19+
Not all file systems currently support ID-mapped mounts, such as Network File Systems (NFS) and other network/distributed file systems. Any pod that is using an NFS-backed persistent volume from a vendor that does not support ID-mapped mounts might experience access or permission issues when running in a user namespace. This behavior is not specific to {product-title}. It applies to all Kubernetes distributions from Kubernetes v1.33 and later.
2020
====
2121

2222
// The following include statements pull in the module files that comprise

0 commit comments

Comments
 (0)