Bug 2424524 - Review Request: kubernetes-user-namespace - adds 'kubelet' sysuser required for Kuberenetes namespace support
Summary: Review Request: kubernetes-user-namespace - adds 'kubelet' sysuser required f...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-22 22:34 UTC by Brad Smith
Modified: 2025-12-23 15:19 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Brad Smith 2025-12-22 22:34:37 UTC 
Spec URL: https://buckaroogeek.fedorapeople.org/reviews/kubernetes-user-namespace.spec
SRPM URL: https://buckaroogeek.fedorapeople.org/reviews/kubernetes-user-namespace-1.0.0-1.fc44.src.rpm
Description: Installs kubelet sysuser and draft subordinate user ids for this user in /etc/subuid and /etc/subgid. This meets requirements for Kubernetes User Namespace feature which is available in Kubernetes 1.33 and newer. Enhances security for kubernetes node.
Fedora Account System Username: buckaroogeek
Comment 1 Fedora Review Service 2025-12-22 22:40:27 UTC 
Copr build:
https://copr.fedorainfracloud.org/coprs/build/9942016
(succeeded)

Review template:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2424524-kubernetes-user-namespace/fedora-rawhide-x86_64/09942016-kubernetes-user-namespace/fedora-review/review.txt

Please take a look if any issues were found.


---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.
Comment 2 Neal Gompa 2025-12-22 22:42:29 UTC 
This package doesn't make sense. Why isn't this part of some kind of kubernetes-common thing that exists for all kubernetes packages to depend on?
Comment 3 Brad Smith 2025-12-23 00:49:18 UTC 
This feature has some specific requirements including either containerd or crio and crun or runc. There are a few other technical requirements (idmap support in the filesystem) that are not too constraining. But the restriction to crio or containerd and crun or runc could potentially be blocking for some users and, in my perspective, make this capability optional and not (yet at least) a standard component.

During some testing and debugging I found that if the `kubelet` user existing on the machine but subuids were not assigned, then the kubelet service will fail to start with an error message about the misconfiguration. So I suspect that if this were part of a kubernetes-common package that was a required dependency for the kubernetes packages (e.g. kubernetes1.34) then the out-of-the-box experience would be a failure to start unless the subuids are configured even when not used.
Comment 4 Neal Gompa 2025-12-23 15:19:38 UTC 
> So I suspect that if this were part of a kubernetes-common package that was a required dependency for the kubernetes packages (e.g. kubernetes1.34) then the out-of-the-box experience would be a failure to start unless the subuids are configured even when not used.

So this sounds like we need this to be fixed so that we always have this configured so it can be opportunistically used.
Note You need to log in before you can comment on or make changes to this bug.