Docker-in-Docker

This blog post is part of a series on user namespaces in Kubernetes. Although userns have been in Linux for a long time, limited support for volumes has held back wider adoption in the container world. Mappings and files When we create a userns, we need to specify a mapping: which UIDs and GIDs inside the container correspond to which ones outside. For example: UID inside userns UID outside userns count 0 100000 1 This maps UID 0 inside the userns to UID 100k outside. Processes inside the userns see themselves as UID 0 (even whoami says root), but from the host’s point of view they run as UID 100k. ...

This blog post is part of a series that will deep dive into user-namespaces support in Kubernetes. User-namespaces (userns) support reached GA in Kubernetes 1.36. This means you can have pods that run inside a user-namespace. The most common reasons people want to do that are: Improve isolation: Adopting it will significantly increase the host isolation and reduce lateral movement. UIDs/GIDs don’t overlap with any other pod or the host, and capabilities are only valid inside the pod. Secure nested containers: It’s possible to create a container inside a container with userns, so you can run dockerd inside a Kubernetes pod (with some other adjustments, but all available now), you can build container images, etc. How to use it One of the design goals was to make it trivial to adopt. All you need to do is set hostUsers to false in your pod spec. If you have the right versions of the stack, all will just work: ...