Bug 2424524

Summary: Review Request: kubernetes-user-namespace - adds 'kubelet' sysuser required for Kuberenetes namespace support
Product: [Fedora] Fedora Reporter: Brad Smith <bradley.g.smith>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: ngompa13, package-review
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brad Smith 2025-12-22 22:34:37 UTC 
Spec URL: https://buckaroogeek.fedorapeople.org/reviews/kubernetes-user-namespace.spec
SRPM URL: https://buckaroogeek.fedorapeople.org/reviews/kubernetes-user-namespace-1.0.0-1.fc44.src.rpm
Description: Installs kubelet sysuser and draft subordinate user ids for this user in /etc/subuid and /etc/subgid. This meets requirements for Kubernetes User Namespace feature which is available in Kubernetes 1.33 and newer. Enhances security for kubernetes node.
Fedora Account System Username: buckaroogeek
Comment 1 Fedora Review Service 2025-12-22 22:40:27 UTC 
Copr build:
https://copr.fedorainfracloud.org/coprs/build/9942016
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2424524-kubernetes-user-namespace/fedora-rawhide-x86_64/09942016-kubernetes-user-namespace/fedora-review/review.txt

Please take a look if any issues were found.


---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.
Comment 2 Neal Gompa 2025-12-22 22:42:29 UTC 
This package doesn't make sense. Why isn't this part of some kind of kubernetes-common thing that exists for all kubernetes packages to depend on?
Comment 3 Brad Smith 2025-12-23 00:49:18 UTC 
This feature has some specific requirements including either containerd or crio and crun or runc. There are a few other technical requirements (idmap support in the filesystem) that are not too constraining. But the restriction to crio or containerd and crun or runc could potentially be blocking for some users and, in my perspective, make this capability optional and not (yet at least) a standard component.

During some testing and debugging I found that if the `kubelet` user existing on the machine but subuids were not assigned, then the kubelet service will fail to start with an error message about the misconfiguration. So I suspect that if this were part of a kubernetes-common package that was a required dependency for the kubernetes packages (e.g. kubernetes1.34) then the out-of-the-box experience would be a failure to start unless the subuids are configured even when not used.
Comment 4 Neal Gompa 2025-12-23 15:19:38 UTC 
> So I suspect that if this were part of a kubernetes-common package that was a required dependency for the kubernetes packages (e.g. kubernetes1.34) then the out-of-the-box experience would be a failure to start unless the subuids are configured even when not used.

So this sounds like we need this to be fixed so that we always have this configured so it can be opportunistically used.