diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md index 4d949d0a036ed..e7242295a8d16 100644 --- a/content/en/docs/concepts/workloads/pods/user-namespaces.md +++ b/content/en/docs/concepts/workloads/pods/user-namespaces.md @@ -7,7 +7,7 @@ min-kubernetes-server-version: v1.25 --- -{{< feature-state for_k8s_version="v1.30" state="beta" >}} +{{< feature-state for_k8s_version="v1.36" state="stable" >}} This page explains how user namespaces are used in Kubernetes pods. A user namespace isolates the user running inside the container from the one @@ -52,13 +52,6 @@ user namespaces. The following OCI runtimes offer support: * [crun](https://github.com/containers/crun) version 1.9 or greater (it's recommend version 1.13+). * [runc](https://github.com/opencontainers/runc) version 1.2 or greater -{{< note >}} -Some OCI runtimes do not include the support needed for using user namespaces in -Linux pods. If you use a managed Kubernetes, or have downloaded it from packages -and set it up, it's possible that nodes in your cluster use a runtime that doesn't -include this support. -{{< /note >}} - To use user namespaces with Kubernetes, you also need to use a CRI {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} to use this feature with Kubernetes pods: @@ -243,8 +236,6 @@ In Kubernetes prior to v1.33, the ID count for each of Pods was hard-coded to ## Integration with Pod security admission checks -{{< feature-state state="alpha" for_k8s_version="v1.29" >}} - For Linux Pods that enable user namespaces, Kubernetes relaxes the application of [Pod Security Standards](/docs/concepts/security/pod-security-standards) in a controlled way. @@ -253,7 +244,7 @@ namespaces, the following fields won't be constrained even in contexts that enfo _Baseline_ or _Restricted_ pod security standard. This behavior does not present a security concern because `root` inside a Pod with user namespaces actually refers to the user inside the container, that is never mapped to a -privileged user on the host. Here's the list of fields that are **not** checks for Pods in those +privileged user on the host. Here's the list of fields that are **not** checked for Pods in those circumstances: - `spec.securityContext.runAsNonRoot` diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates/UserNamespacesSupport.md b/content/en/docs/reference/command-line-tools-reference/feature-gates/UserNamespacesSupport.md index eedc37e8d8747..0d4187fa7c006 100644 --- a/content/en/docs/reference/command-line-tools-reference/feature-gates/UserNamespacesSupport.md +++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/UserNamespacesSupport.md @@ -17,6 +17,10 @@ stages: - stage: beta defaultValue: true fromVersion: "1.33" + - stage: stable + locked: true + defaultValue: true + fromVersion: "1.36" --- Enable user namespace support for Pods. diff --git a/content/en/docs/tasks/configure-pod-container/user-namespaces.md b/content/en/docs/tasks/configure-pod-container/user-namespaces.md index fc4880a40eb37..1062865686786 100644 --- a/content/en/docs/tasks/configure-pod-container/user-namespaces.md +++ b/content/en/docs/tasks/configure-pod-container/user-namespaces.md @@ -40,14 +40,6 @@ this is true when user namespaces are used. * The node OS needs to be Linux * You need to exec commands in the host * You need to be able to exec into pods -* You need to enable the `UserNamespacesSupport` - [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) - -{{< note >}} -The feature gate to enable user namespaces was previously named -`UserNamespacesStatelessPodsSupport`, when only stateless pods were supported. -Only Kubernetes v1.25 through to v1.27 recognise `UserNamespacesStatelessPodsSupport`. -{{}} The cluster that you're using **must** include at least one node that meets the [requirements](/docs/concepts/workloads/pods/user-namespaces/#before-you-begin)