Add support for CRI-O user namespaces (#8268)

* add support for cri-o user namespaces * comply with yamllint rules
2026-02-01 09:38:12 -03:30 · 2021-12-20 15:37:25 +01:00
parent c59407f105
commit f01f7c54aa
4 changed files with 45 additions and 0 deletions
--- a/docs/cri-o.md
+++ b/docs/cri-o.md
@@ -60,3 +60,24 @@ crio_pids_limit: 4096

 [CRI-O]: https://cri-o.io/
 [cri-o#1921]: https://github.com/cri-o/cri-o/issues/1921
+
+## Note about user namespaces
+
+CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.
+
+```yaml
+crio_runtimes:
+  - name: runc
+    path: /usr/bin/runc
+    type: oci
+    root: /run/runc
+    allowed_annotations:
+    - "io.kubernetes.cri-o.userns-mode"
+
+crio_remap_enable: true
+```
+
+The `allowed_annotations` configures `crio.conf` accordingly.
+
+The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
+By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.