Here are the details for our request.
Enhancement name: Add support for user namespaces
Enhancement status (alpha/beta/stable): alpha (merging this release)
SIG: sig-node
k/enhancements repo issue #: 127
PR #’s:
https://github.com/kubernetes/kubernetes/pull/111090
Additional time needed (in days): 4
Reason this enhancement is critical for this milestone:
This feature needs to be implemented in k8s and container runtimes.
If we don't make it for k8s 1.25 release, we will not be able to merge
in containerd 1.7 (scheduled to ~October 2022). The next containerd
minor release (new features can't be merged in patch releases) is not
clear when it is, but at least several months in 2023 (probably more
than just "a few").
This means users adoption will be very much delayed. And as this
enhancement increases the security of k8s deployments significantly when
used, this is far from ideal.
This first phase also allows us to work on next phases soon (as phase
II doesn't need changes on container runtimes). Also, we are planning to
use this feature in Azure.
Risks from adding code late: (to k8s stability, testing, etc.)
Low, it is an alpha feature disabled by default. Unit tests are
passing since the PR was open 20+ days ago. e2e tests are ignored on CI,
so no risks there, although we provided good e2e tests that we verified
locally. It is disabled on CI because we need support in container
runtimes to test this. As this is not yet merged on container runtimes
(as it is present in a container final release yet), CI doesn't run
these e2e tests.
Risks from cutting enhancement: (partial implementation, critical
customer usecase, etc.)
We risk delaying significant benefits to users security, as we will
miss merging into containerd 1.7, this means significant (6-8+ months)
slow down of adoption and slowing down also the graduation of the
feature (we need user feedback to graduate with confidence).