user-namespaces: add idsPerPod configuration

AkihiroSuda · AkihiroSuda · commit ba6bf9d08d1b · 2025-02-21T17:18:27.000+09:00
Kubernetes v1.33 will support setting `userNamespaces.idsPerPod`
in `KubeletConfiguration`.

Depends on k/k PR 130028

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/content/en/docs/concepts/workloads/pods/user-namespaces.md b/content/en/docs/concepts/workloads/pods/user-namespaces.md
@@ -177,8 +177,6 @@ to the `kubelet` user:
   configuration.
 
 * The subordinate ID count must be a multiple of 65536
-  (for Kubernetes {{< skew currentVersion >}} the subordinate ID count for each Pod is hard-coded
-  to 65536).
 
 * The subordinate ID count must be at least `65536 x <maxPods>` where `<maxPods>`
   is the maximum number of pods that can run on the node.
@@ -209,6 +207,22 @@ kubelet:65536:7208960
 [CVE-2021-25741]: https://github.com/kubernetes/kubernetes/issues/104980
 [shadow-utils]: https://github.com/shadow-maint/shadow
 
+## ID count for each of Pods
+Starting with Kubernetes v1.33, the ID count for each of Pods can be set in
+[`KubeletConfiguration`](/docs/reference/config-api/kubelet-config.v1beta1/).
+
+```yaml
+apiVersion: kubelet.config.k8s.io/v1beta1
+kind: KubeletConfiguration
+userNamespaces:
+  idsPerPod: 1048576
+```
+
+The value of `idsPerPod` must be a multiple of 65536.
+The default value is 65536.
+
+In Kubernetes prior to v1.33, the ID count for each of Pods was hard-coded to 65536.
+
 ## Integration with Pod security admission checks
 
 {{< feature-state state="alpha" for_k8s_version="v1.29" >}}
diff --git a/content/en/docs/reference/config-api/kubelet-config.v1beta1.md b/content/en/docs/reference/config-api/kubelet-config.v1beta1.md
@@ -1637,6 +1637,13 @@ option is explicitly enabled.
 Default: false</p>
 </td>
 </tr>
+<tr><td><code>userNamespaces</code><br/>
+<a href="#kubelet-config-k8s-io-v1beta1-UserNamespaces"><code>UserNamespaces</code></a>
+</td>
+<td>
+   <p>UserNamespaces contains config for the pod user namespaces</p>
+</td>
+</tr>
 </tbody>
 </table>
 
@@ -2126,4 +2133,31 @@ managers (secret, configmap) are discovering object changes.</p>
 </tr>
 </tbody>
 </table>
-  
+
+## `UserNamespaces`     {#kubelet-config-k8s-io-v1beta1-UserNamespaces}
+
+
+**Appears in:**
+
+- [KubeletConfiguration](#kubelet-config-k8s-io-v1beta1-KubeletConfiguration)
+
+
+<p>UserNamespaces specifies the config for user namespaces</p>
+
+
+<table class="table">
+<thead><tr><th width="30%">Field</th><th>Description</th></tr></thead>
+<tbody>
+
+
+<tr><td><code>idsPerPod</code><br/>
+<code>uint32</code>
+</td>
+<td>
+   <p>idsPerPod is the mapping length of UIDs and GIDs.
+The length must be multiple of 65536.
+Default: 65536</p>
+</td>
+</tr>
+</tbody>
+</table>
