Loading…
In-person + Virtual
October 24-28
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon North America 2022 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in Eastern Daylight Time (UTC -4). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change.
Back To Schedule
Thursday, October 27 • 3:25pm - 4:00pm
Run As “Root”, Not Root: User Namespaces In K8s - Marga Manterola, Isovalent & Rodrigo Campos Catelin, Microsoft

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Feedback form is now closed.


What if I told you that there's a bool you can set in your pod yaml that mitigates many CVEs out there? Not just any CVEs, but some HIGH and CRITICAL ones! This feature is coming to Kubernetes, thanks to user namespaces, and we'll tell you all about it.

User namespaces is a kernel feature that isolates the user in the container from the one in the host. A process running as root in a container can run as a different (non-root) user in the host. This is a HUGE improvement: if a process escapes the container, the privileges on the host are significantly reduced. Furthermore, some capabilities are void and others are only valid inside the user namespace.

Many container workloads that run as root today can benefit from this already: enable user namespace in their pod yaml and be more secure without additional changes.

This talk will explain how to use this feature in your cluster, how it is implemented, the current state of the KEP and future work and challenges in this area.
Speakers
avatar for Rodrigo Campos Catelin

Rodrigo Campos Catelin

Software Engineer, Microsoft
Rodrigo studied Computer Science at the University of Buenos Aires (Argentina). He has been involved in Kubernetes since 2016 and has been a free software developer for 20 years. He is currently working on user namespaces support in Kubernetes. Previously, he worked on support for... Read More →
avatar for Marga Manterola

Marga Manterola

Director of Engineering, Isovalent
A Debian Developer and Open Source enthusiast, Marga has been working with Linux for 20 years. She worked as an SRE at Google, in the team maintaining the internal Linux distribution used by Google engineers. She later joined the cloud native world, working on Flatcar, a container... Read More →

User namespaces in k8s pdf
Thursday October 27, 2022 3:25pm - 4:00pm EDT
Virtual Platform Only
  Security + Identity + Policy