Enhancement Description

One-line enhancement description (can be used as a release note): Allow running the entire Kubernetes components (kubelet, CRI, OCI, CNI, and all kube-*) as a non-root user on the host.
Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless
Discussion Link:
- POC: https://github.com/rootless-containers/usernetes
- k/k PR: https://github.com/kubernetes/kubernetes/pull/92863 (merged in v1.22)
- Proposal in kind repo: https://github.com/kubernetes-sigs/kind/issues/1797
- Proposal in minikube repo: https://github.com/kubernetes/minikube/issues/10836
- Documentation PR: https://github.com/kubernetes/website/pull/28827
Primary contact (assignee): @AkihiroSuda
Responsible SIGs: SIG-node
PRs by stage and milestone:
- [X] Alpha - v1.22
  - [X] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/1371
  - [X] Code (k/k) update PR(s): https://github.com/kubernetes/kubernetes/pull/92863
  - [X] Docs (k/website) update PR(s): https://github.com/kubernetes/website/pull/28827
- [ ] Beta - ~v1.35~ v1.36
  - [x] KEP (k/enhancements) update PR(s): https://github.com/kubernetes/enhancements/pull/5388 https://github.com/kubernetes/enhancements/pull/5694
  - [ ] Code (k/k) update PR(s): https://github.com/kubernetes/kubernetes/pull/134639
  - [ ] Docs (k/website) update(s): https://github.com/kubernetes/website/pull/52732
- [ ] Stable - v1.xx
  - [ ] KEP (k/enhancements) update PR(s):
  - [ ] Code (k/k) update PR(s):
  - [ ] Docs (k/website) update(s):

Sep 30 '20 04:09 AkihiroSuda

/sig node

Sep 30 '20 04:09 AkihiroSuda

Thanks for opening this @AkihiroSuda !

As a reminder Enhancements Freeze is next Tuesday October 6th, by which time KEPs must be merged in an implementable state (you have this), have test plans(you have this) and graduation criteria (you have this).

Sep 30 '20 18:09 kikisdeliveryservice

Hi @AkihiroSuda , Just a reminder that the outstanding PR (#1371) must be merged by EOD PST tomorrow (10/6) for this KEP to be included in the Enhancements Freeze for the 1.20 release. After that time you will need to request an Exception to be included in the 1.20 Release.

Best, Kendall Enhancements Team 1.20

Oct 05 '20 22:10 kendallroden

Hi @AkihiroSuda

Enhancements Freeze is now in effect. Unfortunately, your KEP PR did not merge. If you wish to be included in the 1.20 Release, please submit an Exception Request as soon as possible.

Best, Kirsten 1.20 Enhancements Lead

Oct 07 '20 02:10 kikisdeliveryservice

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

Jan 05 '21 04:01 fejta-bot

/remove-lifecycle stale

Jan 05 '21 04:01 AkihiroSuda

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

Apr 05 '21 04:04 fejta-bot

/remove-lifecycle stale

Apr 05 '21 04:04 AkihiroSuda

/remove-lifecycle stale

Apr 05 '21 09:04 george-angel

Hi @AkihiroSuda 👋 1.22 Enhancement shadow here.

This enhancement is well on its way, some minor change requests in light of Enhancement Freeze on Thursday May 13th:

Update kep.yaml file to the latest template, as well as fill in approvers prr-approvers and update milestones
Obtain a PRR approval

Thanks 😊

May 10 '21 03:05 gracenng

Hi @AkihiroSuda 👋 1.22 Enhancements shadow here. I just wanted to double check to see if SIG-node will need to do anything for this enhancement and if so, are they OK with it? Thanks!

May 11 '21 12:05 gracenng

Yes, I would like to have https://github.com/kubernetes/enhancements/pull/1371 (and k/k PR https://github.com/kubernetes/kubernetes/pull/92863) to be reviewed (and merged) if possible.

May 11 '21 12:05 AkihiroSuda

Hi @AkihiroSuda, 1.22 Enhancements Lead here. :wave: With enhancements freeze now in effect we are removing this enhancement from the 1.22 release due to https://github.com/kubernetes/enhancements/pull/1371 not being approved.

Feel free to file an exception to add this back to the release. If you plan to do so, please file this as early as possible.

Thanks! /milestone clear

May 14 '21 08:05 JamesLaverack

Hey @AkihiroSuda, as per the discussion on the SIG Release mailing list this enhancement's exception request has been approved.

With #1371 merged, this is in a good state for 1.22.

/milestone v1.22

May 25 '21 00:05 JamesLaverack

Hello @AkihiroSuda 👋, 1.22 Docs release lead here. This enhancement is marked as ‘Needs Docs’ for 1.22 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.  Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.  Thank you!

May 26 '21 19:05 PI-Victor

Hi @AkihiroSuda 🌞 1.22 enhancements shadow here.

In light of Code Freeze on July 8th, this enhancement current status is at risk as k/k#92863 has not been merged. Please let me know if there is other code PR associated with this enhancement and feel free to ping me once its merged.

Thanks

Jun 23 '21 12:06 gracenng

https://github.com/kubernetes/kubernetes/pull/92863 is the only PR associated with this KEP, and should be ready to merge

Jun 24 '21 07:06 AkihiroSuda

Hello @AkihiroSuda 👋, 1.22 Docs release lead here. This enhancement is marked as ‘Needs Docs’ for 1.22 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.  Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.  Thank you!

Heya, @AkihiroSuda friendly reminder about the upcoming docs placeholder PR deadline on 9th of July.

Jul 06 '21 15:07 PI-Victor

@PI-Victor

Thanks, opened PR https://github.com/kubernetes/website/pull/28827

Jul 07 '21 05:07 AkihiroSuda

Hi @AkihiroSuda 🌷 1.22 enhancements shadow here.

A friendly reminder that Code Freeze is tomorrow, on July 8th and the current status of this enhancement is at risk I'll keep an eye out for updates but feel free to ping me once its merged

Thanks

Jul 07 '21 12:07 gracenng

@gracenng

https://github.com/kubernetes/kubernetes/pull/92863 is now merged 🎉

Jul 08 '21 01:07 AkihiroSuda

What's left here? only Docker?

Oct 10 '21 20:10 andypost

Dockershim has been already deprecated, so I'm not going to work on dockershim for rootless. (Docker itself has been supporting rootless for nearly 3 years, though)

containerd and CRI-O already supports rootless CRI: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri

Oct 11 '21 03:10 AkihiroSuda

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Jan 09 '22 04:01 k8s-triage-robot

/remove-lifecycle stale

Jan 09 '22 05:01 AkihiroSuda

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Apr 09 '22 06:04 k8s-triage-robot

/remove-lifecycle stale

Apr 09 '22 07:04 AkihiroSuda

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Jul 08 '22 07:07 k8s-triage-robot

/remove-lifecycle stale

Jul 08 '22 11:07 AkihiroSuda

/milestone clear

Oct 01 '22 02:10 rhockenbury

sig-node: Kubelet-in-UserNS, aka Rootless mode

Enhancement Description