User Namespaces

[FernandoMiguel]

As we plane to upgrade to EKS 1.33, we are looking to make use of User Namespaces [https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/]
I can see from bottlerocket docs that this is not currently supported https://github.com/bottlerocket-os/bottlerocket/blob/addf9f0c6aa5959c622a11d5e2ae5d8806da1fcd/SECURITY_GUIDANCE.md#do-not-run-containers-as-uid-0
I assume primarily cause it's still using kernels (5.10/5.15 LTS) do not have the idmap mount support for tmpfs that was introduced in Linux 6.3.

Are there any plans to add a newer kernel in the near future?
thanks in advance

[yeazelm]

Hello @FernandoMiguel,

I assume primarily cause it's still using kernels (5.10/5.15 LTS) do not have the idmap mount support for tmpfs that was introduced in Linux 6.3.

We no longer have 5.10 or 5.15 kernels in our kernel kit.

Are there any plans to add a newer kernel in the near future?

We currently have 6.1 and 6.12 kernels available and our k8s 1.33+ variants use the 6.12 kernel. Bottlerocket sets max_user_namespaces to 0 by default but you can change this limit using settings:

[settings.kernel.sysctl]
"user.max_user_namespaces" = "16384"

[FernandoMiguel]

thanks for the reply @yeazelm
can you explain a bit more how max_user_namespaces would work here?
I couldn't find any docs for it, sorry

[FernandoMiguel]

I got more info in #3328. thanks