★ 7/10 · Infra · 2026-04-23

Kubernetes v1.36: User Namespaces in Kubernetes are finally GA

Kubernetes v1.36 introduces User Namespaces at General Availability (GA) for Linux-only environments. This feature enables rootless security isolation by decoupling container user identities from the host, preventing...

Captured 2026-04-23 18:35

Kubernetes v1.36: User Namespaces in Kubernetes are finally GA

Summary

Kubernetes v1.36 introduces User Namespaces at General Availability (GA) for Linux-only environments. This feature enables rootless security isolation by decoupling container user identities from the host, preventing container breakouts from resulting in host-level root access.

Key Points

  • User Namespaces reached General Availability (GA) in Kubernetes v1.36.
  • The feature is currently limited to Linux-only environments.
  • Setting hostUsers: false in the Pod specification enables namespaced capabilities, such as CAP_NET_ADMIN, which grant power over container resources without affecting the host.
  • The implementation leverages Linux kernel ID-mapped mounts (introduced in Linux 5.12) to manage UID/GID translation.
  • The use of ID-mapped mounts provides $O(1)$ complexity for volume ownership mapping, eliminating the need for expensive recursive chown operations during pod startup.

Technical Details

The primary technical challenge addressed in this release was the performance overhead of volume ownership management. Previously, mapping containers to high UID ranges required the Kubelet to recursively execute chown on every file within an attached volume to ensure the container had appropriate permissions. For large volumes, this operation caused significant delays in pod startup.

The GA implementation utilizes ID-mapped mounts to perform a transparent translation of UIDs and GIDs at the kernel level during the mount process. This allows files to appear as owned by UID 0 inside the container while their original ownership remains unchanged on the host disk. To implement this, developers must set hostUsers: false within the spec of a Pod or PodTemplate. This configuration ensures that even if a process is configured to runAsUser: 0, its privileges are confined to the user namespace and do not extend to the host's identity.

Impact / Why It Matters

This feature provides a critical security layer for multi-tenant environments by ensuring that even if a container breakout occurs via a kernel vulnerability or misconfiguration, the attacker does not gain root privileges on the host. It also allows developers to run workloads requiring specific administrative capabilities without the risks associated with fully privileged containers.

kubernetes infrastructure security devops

↳ Sources