sig-node: Kubelet-in-UserNS, aka Rootless mode #2033

AkihiroSuda · 2020-09-30T04:33:09Z

Enhancement Description

One-line enhancement description (can be used as a release note):
Allow running the entire Kubernetes components (kubelet, CRI, OCI, CNI, and all kube-*) as a non-root user on the host.
Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Discussion Link:
- POC: https://github.com/rootless-containers/usernetes
- k/k PR: kubelet & kube-proxy: ignore sysctl errors and rlimit errors when running in UserNS (for rootless) kubernetes#92863 (merged in v1.22)
- Proposal in kind repo: Support Rootless Docker / Kubernetes kubernetes-sigs/kind#1797
- Proposal in minikube repo: add support for rootless Docker minikube#10836
- Documentation PR: Add KubeletInUserNamespace feature gate website#28827
Primary contact (assignee):
@AkihiroSuda
Responsible SIGs:
SIG-node
Enhancement target (which target equals to which milestone):
- Alpha release target (1.22)
- Beta release target (TBD)
- Stable release target (TBD)

The text was updated successfully, but these errors were encountered:

AkihiroSuda · 2020-09-30T04:34:17Z

/sig node

kikisdeliveryservice · 2020-09-30T18:20:02Z

Thanks for opening this @AkihiroSuda !

As a reminder Enhancements Freeze is next Tuesday October 6th, by which time KEPs must be merged in an implementable state (you have this), have test plans(you have this) and graduation criteria (you have this).

kendallroden · 2020-10-05T22:21:24Z

Hi @AkihiroSuda , Just a reminder that the outstanding PR (#1371) must be merged by EOD PST tomorrow (10/6) for this KEP to be included in the Enhancements Freeze for the 1.20 release. After that time you will need to request an Exception to be included in the 1.20 Release.

Best,
Kendall
Enhancements Team 1.20

kikisdeliveryservice · 2020-10-07T02:18:21Z

Hi @AkihiroSuda

Enhancements Freeze is now in effect. Unfortunately, your KEP PR did not merge. If you wish to be included in the 1.20 Release, please submit an Exception Request as soon as possible.

Best,
Kirsten
1.20 Enhancements Lead

fejta-bot · 2021-01-05T04:43:49Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

AkihiroSuda · 2021-01-05T04:47:33Z

/remove-lifecycle stale

fejta-bot · 2021-04-05T04:55:09Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

AkihiroSuda · 2021-04-05T04:57:21Z

/remove-lifecycle stale

george-angel · 2021-04-05T09:03:01Z

/remove-lifecycle stale

gracenng · 2021-05-10T03:13:50Z

Hi @AkihiroSuda 👋 1.22 Enhancement shadow here.

This enhancement is well on its way, some minor change requests in light of Enhancement Freeze on Thursday May 13th:

Update kep.yaml file to the latest template, as well as fill in approvers prr-approvers and update milestones
Obtain a PRR approval

Thanks 😊

AkihiroSuda · 2022-07-08T11:06:23Z

/remove-lifecycle stale

rhockenbury · 2022-10-01T02:02:33Z

/milestone clear

k8s-triage-robot · 2022-12-30T03:00:34Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

AkihiroSuda · 2022-12-30T03:02:47Z

/remove-lifecycle stale

k8s-triage-robot · 2023-01-29T03:54:25Z

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

AkihiroSuda · 2023-01-29T04:14:56Z

/remove-lifecycle rotten

k8s-triage-robot · 2023-04-29T04:16:49Z

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

AkihiroSuda · 2023-04-29T04:57:24Z

/remove-lifecycle stale

AkihiroSuda · 2023-09-18T15:28:43Z

~~As a baby step to set up the CI for this, I'm updating the KRTE image in test-infra to support Rootless Docker~~:

images/krte: add Rootless Docker (and systemd as a dependency) test-infra#30744

EDIT (Oct 17, 2023): the current plan is to spawn AWS or GCP VMs via kubetest2: kubernetes/test-infra#30744 (comment)

AkihiroSuda · 2023-10-17T14:18:20Z

Now all the [NodeConformance] tests pass with:

e2e: add [Environment:NotInUserNS] tag to sysctl tests kubernetes#121293

Not integrated to prow yet though

AkihiroSuda · 2023-10-20T11:17:07Z

PR for prow:

[sig-testing] Add ci-kubernetes-e2e-kind-rootless test-infra#31085

EDIT (Nov 30, 2023): failing due to:

ci-kubernetes-e2e-kind-rootless is failing due to Required 'compute.networks.create' permission for 'projects/k8s-prow-builds/global/networks/kt2-kindinv-prow-def2ae21' test-infra#31339

AkihiroSuda · 2024-01-16T07:20:28Z

Now CI is green:

https://prow.k8s.io/job-history/gs/kubernetes-jenkins/logs/ci-kubernetes-e2e-kind-rootless

kannon92 · 2024-03-22T14:48:58Z

With cgroup v2 promoted to GA, should we consider promoting this KEP to beta?

Esp with usernamespaces being promoted to beta in 1.30.

AkihiroSuda · 2024-03-22T15:10:00Z

With cgroup v2 promoted to GA, should we consider promoting this KEP to beta?

Esp with usernamespaces being promoted to beta in 1.30.

Yes, let me try it in the v1.31 window

AkihiroSuda · 2024-06-11T16:33:20Z

↑
I'm busy for another (unrelated) KEP #4668 , so I'll retry it in the v1.32 window

kannon92 · 2024-08-20T21:31:20Z

@AkihiroSuda will you be able to work on this for v1.32?

I'm going to mark this as proposed for consideration.

k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 30, 2020

AkihiroSuda mentioned this issue Sep 30, 2020

sig-node: Kubelet-in-UserNS, aka Rootless mode #1371

Merged

k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 30, 2020

kikisdeliveryservice added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Sep 30, 2020

kikisdeliveryservice added this to the v1.20 milestone Sep 30, 2020

kikisdeliveryservice added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 30, 2020

kikisdeliveryservice added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Oct 7, 2020

kikisdeliveryservice removed this from the v1.20 milestone Oct 7, 2020

alexandrevicenzi mentioned this issue Dec 11, 2020

Test rootless kubernetes on 1.21 alpha/betas kubic-project/microos-roadmap#1

Open

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 5, 2021

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 5, 2021

This was referenced Feb 26, 2021

"Kind create cluster" fails to create any cluster, but "sudo kind create cluster" works kubernetes-sigs/kind#2094

Closed

Unclear error on 'kind cluster create' kubernetes-sigs/kind#2093

Closed

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 5, 2021

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 5, 2021

JamesLaverack added tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 5, 2021

JamesLaverack added this to the v1.22 milestone May 5, 2021

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 8, 2022

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 8, 2022

k8s-ci-robot removed this from the v1.22 milestone Oct 1, 2022

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 30, 2022

k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 29, 2023

k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 29, 2023

AkihiroSuda mentioned this issue Feb 8, 2023

KEP-2033: update testing plan for KubeletInUserNamespace #3859

Merged

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 29, 2023

k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 29, 2023

Atharva-Shinde added stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status and removed stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels May 14, 2023

AkihiroSuda mentioned this issue Sep 18, 2023

images/krte: add Rootless Docker (and systemd as a dependency) kubernetes/test-infra#30744

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sig-node: Kubelet-in-UserNS, aka Rootless mode #2033

sig-node: Kubelet-in-UserNS, aka Rootless mode #2033

AkihiroSuda commented Sep 30, 2020 •

edited

Loading

AkihiroSuda commented Sep 30, 2020

kikisdeliveryservice commented Sep 30, 2020

kendallroden commented Oct 5, 2020 •

edited

Loading

kikisdeliveryservice commented Oct 7, 2020

fejta-bot commented Jan 5, 2021

AkihiroSuda commented Jan 5, 2021

fejta-bot commented Apr 5, 2021

AkihiroSuda commented Apr 5, 2021

george-angel commented Apr 5, 2021

gracenng commented May 10, 2021

AkihiroSuda commented Jul 8, 2022

rhockenbury commented Oct 1, 2022

k8s-triage-robot commented Dec 30, 2022

AkihiroSuda commented Dec 30, 2022

k8s-triage-robot commented Jan 29, 2023

AkihiroSuda commented Jan 29, 2023

k8s-triage-robot commented Apr 29, 2023

AkihiroSuda commented Apr 29, 2023

AkihiroSuda commented Sep 18, 2023 •

edited

Loading

AkihiroSuda commented Oct 17, 2023 •

edited

Loading

AkihiroSuda commented Oct 20, 2023 •

edited

Loading

AkihiroSuda commented Jan 16, 2024

kannon92 commented Mar 22, 2024

AkihiroSuda commented Mar 22, 2024

AkihiroSuda commented Jun 11, 2024

kannon92 commented Aug 20, 2024 •

edited

Loading

sig-node: Kubelet-in-UserNS, aka Rootless mode #2033

sig-node: Kubelet-in-UserNS, aka Rootless mode #2033

Comments

AkihiroSuda commented Sep 30, 2020 • edited Loading

Enhancement Description

AkihiroSuda commented Sep 30, 2020

kikisdeliveryservice commented Sep 30, 2020

kendallroden commented Oct 5, 2020 • edited Loading

kikisdeliveryservice commented Oct 7, 2020

fejta-bot commented Jan 5, 2021

AkihiroSuda commented Jan 5, 2021

fejta-bot commented Apr 5, 2021

AkihiroSuda commented Apr 5, 2021

george-angel commented Apr 5, 2021

gracenng commented May 10, 2021

AkihiroSuda commented Jul 8, 2022

rhockenbury commented Oct 1, 2022

k8s-triage-robot commented Dec 30, 2022

AkihiroSuda commented Dec 30, 2022

k8s-triage-robot commented Jan 29, 2023

AkihiroSuda commented Jan 29, 2023

k8s-triage-robot commented Apr 29, 2023

AkihiroSuda commented Apr 29, 2023

AkihiroSuda commented Sep 18, 2023 • edited Loading

AkihiroSuda commented Oct 17, 2023 • edited Loading

AkihiroSuda commented Oct 20, 2023 • edited Loading

AkihiroSuda commented Jan 16, 2024

kannon92 commented Mar 22, 2024

AkihiroSuda commented Mar 22, 2024

AkihiroSuda commented Jun 11, 2024

kannon92 commented Aug 20, 2024 • edited Loading

AkihiroSuda commented Sep 30, 2020 •

edited

Loading

kendallroden commented Oct 5, 2020 •

edited

Loading

AkihiroSuda commented Sep 18, 2023 •

edited

Loading

AkihiroSuda commented Oct 17, 2023 •

edited

Loading

AkihiroSuda commented Oct 20, 2023 •

edited

Loading

kannon92 commented Aug 20, 2024 •

edited

Loading