AS
Uploaded byAkihiro Suda
28 views

[CNCF TAG-Runtime] Usernetes Gen2

Usernetes is a rootless Kubernetes implementation designed to enhance security by isolating user privileges within user namespaces, preventing attackers from gaining root access even if they exploit pods or kubelet APIs. The project, initiated in 2018, integrates technologies like Kubernetes, Docker, and Podman and offers improvements in multi-node networking and host dependency management in its second generation, which began in 2023. Notable implementations include Kind, Minikube, and K3s, which support the rootless model with various configurations.

Embed presentation

Download to read offline
Usernetes Generation 2 Kubernetes in Rootless Docker https://github.com/rootless-containers/usernetes Akihiro Suda, NTT CNCF TAG-Runtime Meeting (Oct 26, 2023)
• Rootless Kubernetes – Even if an attacker has escaped from a Pod, or gained an access to kubelet API, the attacker still cannot gain the root privilege of the node • Implemented by putting kubelet, CRI, OCI, CNI, etc. in a user namespace – UserNS: Linux kernel’s feature that maps a non-root user to a fake root (the root privilege is limited inside the namespace) • Multi-node networking is possible with VXLAN 2 Usernetes github.com/rootless-containers/usernetes
• Began in 2018 – As old as Rootless Docker (pre-release at that time) and Rootless Podman • The changes to Kubernetes was merged in Kubernetes v1.22 (Aug 2021) – Feature gate: “KubeletInUserNamespace” (Alpha) • The feature gate was also adopted by: – kind (with Rootless Docker or Rootless Podman) – Minikube (with Rootless Docker or Rootless Podman) – k3s 3 History
Gen 1 (2018-2023) Gen 2 (2023-) Host dependency RootlessKit Rootless Docker, Rootless Podman, or Rootless nerdctl (contaiNERD CTL) Supports kubeadm No Yes Supports multi-node Yes, but practically No, due to complexity Yes Supports hostPath volumes Yes Yes, for most paths, but needs an extra config 4 Usernetes Gen 1 vs Gen 2 ”The hard way” Similar to `kind` and minikube, but supports real multi-node
5 Usage # Bootstrap the first node make up make kubeadm-init make install-flannel # Enable kubectl make kubeconfig export KUBECONFIG=$(pwd)/kubeconfig kubectl get pods -A # Multi-node make join-command scp join-command another-host:~/usernetes ssh another-host make -C ~/usernetes up kubeadm-join

More Related Content

PDF
20240201 [HPC Containers] Rootless Containers.pdf
byAkihiro Suda
 
PDF
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
byAkihiro Suda
 
PDF
[Podman Special Event] Kubernetes in Rootless Podman
byAkihiro Suda
 
PDF
Rootless Containers
byAkihiro Suda
 
PDF
Rootless Kubernetes
byAkihiro Suda
 
PDF
Podman rootless containers
byGiuseppe Scrivano
 
PPTX
Usernetes: Kubernetes as a non-root user
byAkihiro Suda
 
PDF
[KubeCon NA 2020] containerd: Rootless Containers 2020
byAkihiro Suda
 
20240201 [HPC Containers] Rootless Containers.pdf
byAkihiro Suda
 
20240415 [Container Plumbing Days] Usernetes Gen2 - Kubernetes in Rootless Do...
byAkihiro Suda
 
[Podman Special Event] Kubernetes in Rootless Podman
byAkihiro Suda
 
Rootless Containers
byAkihiro Suda
 
Rootless Kubernetes
byAkihiro Suda
 
Podman rootless containers
byGiuseppe Scrivano
 
Usernetes: Kubernetes as a non-root user
byAkihiro Suda
 
[KubeCon NA 2020] containerd: Rootless Containers 2020
byAkihiro Suda
 

Similar to [CNCF TAG-Runtime] Usernetes Gen2

PDF
The State of Rootless Containers
byAkihiro Suda
 
PDF
Rootless Containers & Unresolved issues
byAkihiro Suda
 
PPTX
Going Serverless with Kubeless In Google Container Engine (GKE)
byBitnami
 
PDF
Networking in docker ee with kubernetes and swarm
byDocker, Inc.
 
PDF
20250403 [KubeCon EU Pavilion] containerd.pdf
byAkihiro Suda
 
PDF
[DockerCon 2019] Hardening Docker daemon with Rootless mode
byAkihiro Suda
 
PDF
DCSF19 Hardening Docker daemon with Rootless mode
byDocker, Inc.
 
PDF
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
byAkihiro Suda
 
PDF
Networking in Docker EE 2.0 with Kubernetes and Swarm
byAbhinandan P.b
 
The State of Rootless Containers
byAkihiro Suda
 
Rootless Containers & Unresolved issues
byAkihiro Suda
 
Going Serverless with Kubeless In Google Container Engine (GKE)
byBitnami
 
Networking in docker ee with kubernetes and swarm
byDocker, Inc.
 
20250403 [KubeCon EU Pavilion] containerd.pdf
byAkihiro Suda
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
byAkihiro Suda
 
DCSF19 Hardening Docker daemon with Rootless mode
byDocker, Inc.
 
[DockerCon 2020] Hardening Docker daemon with Rootless Mode
byAkihiro Suda
 
Networking in Docker EE 2.0 with Kubernetes and Swarm
byAbhinandan P.b
 

More from Akihiro Suda

PDF
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
byAkihiro Suda
 
PDF
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
byAkihiro Suda
 
PDF
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
byAkihiro Suda
 
PDF
20241113 [KubeCon NA Pavilion] containerd.pdf
byAkihiro Suda
 
PDF
[Container Plumbing Days 2023] Why was nerdctl made?
byAkihiro Suda
 
PDF
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
byAkihiro Suda
 
PDF
The internals and the latest trends of container runtimes
byAkihiro Suda
 
PDF
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
byAkihiro Suda
 
PDF
20251113 [KubeCon NA Pavilion] Lima.pdf_
byAkihiro Suda
 
PDF
20251112 [KubeCon NA Pavilion] containerd.pdf
byAkihiro Suda
 
PDF
20240320 [KubeCon EU Pavilion] containerd.pdf
byAkihiro Suda
 
PDF
[KubeConNA2023] containerd pavilion
byAkihiro Suda
 
PDF
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
byAkihiro Suda
 
PDF
20240321 [KubeCon EU Pavilion] Lima.pdf_
byAkihiro Suda
 
PDF
[KubeConEU2023] Lima pavilion
byAkihiro Suda
 
PDF
[KubeConNA2023] Lima pavilion
byAkihiro Suda
 
PDF
20250402 [KubeCon EU Pavilion] Lima.pdf_
byAkihiro Suda
 
PDF
20241115 [KubeCon NA Pavilion] Lima.pdf_
byAkihiro Suda
 
PDF
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
byAkihiro Suda
 
PDF
[KubeConEU2023] containerd pavilion
byAkihiro Suda
 
[DockerConハイライト] OpenPubKeyによるイメージの署名と検証.pdf
byAkihiro Suda
 
20250617 [KubeCon JP 2025] containerd - Project Update and Deep Dive.pdf
byAkihiro Suda
 
20250403 [KubeCon EU] containerd - Project Update and Deep Dive.pdf
byAkihiro Suda
 
20241113 [KubeCon NA Pavilion] containerd.pdf
byAkihiro Suda
 
[Container Plumbing Days 2023] Why was nerdctl made?
byAkihiro Suda
 
【Vuls祭り#10 (2024/08/20)】 VexLLM: LLMを用いたVEX自動生成ツール
byAkihiro Suda
 
The internals and the latest trends of container runtimes
byAkihiro Suda
 
【情報科学若手の会 (2024/09/14】なぜオープンソースソフトウェアにコントリビュートすべきなのか
byAkihiro Suda
 
20251113 [KubeCon NA Pavilion] Lima.pdf_
byAkihiro Suda
 
20251112 [KubeCon NA Pavilion] containerd.pdf
byAkihiro Suda
 
20240320 [KubeCon EU Pavilion] containerd.pdf
byAkihiro Suda
 
[KubeConNA2023] containerd pavilion
byAkihiro Suda
 
[DockerCon 2023] Reproducible builds with BuildKit for software supply chain ...
byAkihiro Suda
 
20240321 [KubeCon EU Pavilion] Lima.pdf_
byAkihiro Suda
 
[KubeConEU2023] Lima pavilion
byAkihiro Suda
 
[KubeConNA2023] Lima pavilion
byAkihiro Suda
 
20250402 [KubeCon EU Pavilion] Lima.pdf_
byAkihiro Suda
 
20241115 [KubeCon NA Pavilion] Lima.pdf_
byAkihiro Suda
 
20250616 [KubeCon JP 2025] VexLLM - Silence Negligible CVE Alerts Using LLM.pdf
byAkihiro Suda
 
[KubeConEU2023] containerd pavilion
byAkihiro Suda
 

Recently uploaded

PDF
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PPTX
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
PPTX
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
PDF
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
PDF
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
PDF
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
PDF
our environment ppt made by many people name rarang yadav
byrarang180
 
PDF
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
PPTX
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
PPTX
1-introduction-to-databases notes start .pptx
byBeatrice1625
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PDF
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PDF
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
PDF
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
PDF
C_ABAPD_2507 (83%).pdf antwoten certificate
byImaneKrioutate
 
PDF
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
PPTX
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
PDF
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 
How Fireworks AI Achieves 1TB_s+ Throughput for Model Deployment Across Multi...
byAlluxio, Inc.
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
Instrumentation.Instrumentation.Instrumentation.pptx
byDavid Kurtz
 
Performance Engineering: New and Conflicting Trends
byAlexander Podelko
 
Cloud Automotive Software: Cost, Speed & Scalability
byShiv Technolabs Pvt. Ltd.
 
Healthcare Mobile App Development: Features & Benefits
byjoealwyn38
 
Enterprise Software’s Role in Data-Driven Decisions
byShiv Technolabs Pvt. Ltd.
 
our environment ppt made by many people name rarang yadav
byrarang180
 
828275126-INTUNE-Instructor-Handout-Part2.pdf
byamdusias67
 
NetworkMediaWireless (1).pptxunsnsndjdjdjjdnd
byre7022
 
1-introduction-to-databases notes start .pptx
byBeatrice1625
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
The Future of Microsoft Project Management Tools - Connecting Teams, Work, an...
byOnePlan Solutions
 
DSD-INT 2025 iMOD Coupler - coupling Ribasim – MetaSWAP – MODFLOW 6 - Leander
byDeltares
 
C_ABAPD_2507 (83%).pdf antwoten certificate
byImaneKrioutate
 
DSD-INT 2025 Groundwater table lowering due to surface water lowering - Reusen
byDeltares
 
ONLINE TRAVEL BUSINESS SOFTWARE | BUSINESS TRAVEL SOFTWARE
byphilipnathen82
 
Cybernetic Global Intelligence Securing Businesses in a Digital-First World.pdf
byCybernetic Global Intelligence
 

[CNCF TAG-Runtime] Usernetes Gen2

  • 1.
    Usernetes Generation 2 Kubernetesin Rootless Docker https://github.com/rootless-containers/usernetes Akihiro Suda, NTT CNCF TAG-Runtime Meeting (Oct 26, 2023)
  • 2.
    • Rootless Kubernetes –Even if an attacker has escaped from a Pod, or gained an access to kubelet API, the attacker still cannot gain the root privilege of the node • Implemented by putting kubelet, CRI, OCI, CNI, etc. in a user namespace – UserNS: Linux kernel’s feature that maps a non-root user to a fake root (the root privilege is limited inside the namespace) • Multi-node networking is possible with VXLAN 2 Usernetes github.com/rootless-containers/usernetes
  • 3.
    • Began in2018 – As old as Rootless Docker (pre-release at that time) and Rootless Podman • The changes to Kubernetes was merged in Kubernetes v1.22 (Aug 2021) – Feature gate: “KubeletInUserNamespace” (Alpha) • The feature gate was also adopted by: – kind (with Rootless Docker or Rootless Podman) – Minikube (with Rootless Docker or Rootless Podman) – k3s 3 History
  • 4.
    Gen 1 (2018-2023)Gen 2 (2023-) Host dependency RootlessKit Rootless Docker, Rootless Podman, or Rootless nerdctl (contaiNERD CTL) Supports kubeadm No Yes Supports multi-node Yes, but practically No, due to complexity Yes Supports hostPath volumes Yes Yes, for most paths, but needs an extra config 4 Usernetes Gen 1 vs Gen 2 ”The hard way” Similar to `kind` and minikube, but supports real multi-node
  • 5.
    5 Usage # Bootstrap thefirst node make up make kubeadm-init make install-flannel # Enable kubectl make kubeconfig export KUBECONFIG=$(pwd)/kubeconfig kubectl get pods -A # Multi-node make join-command scp join-command another-host:~/usernetes ssh another-host make -C ~/usernetes up kubeadm-join