Support for pod user namespaces

[Piccirello]

This issue is to track Talos's support for user namespaces^0 in Kubernetes pods. User namespaces allow for strict separation between the root user in pods and the root user on the host. From the docs: "A process running as root in a container can run as a different (non-root) user in the host; in other words, the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace."

User namespaces requires at least Linux 6.3, which it appears Talos v1.7.0 will support. The Kubernetes docs also state that "containerd v1.7 is not compatible with the userns support in Kubernetes v1.27 to v1.29." That may mean waiting for containerd 2.0^1, though this is unclear to me.

When user namespaces are eventually supported, it would be worth mentioning as a feature in the Talos release's changelog.

[sanmai-NL]

How will this affect Talos Linux nodes running inside containers? And potentially, in user-namespaced/rootless containers?

[Piccirello]

The kubernetes docs page^1 linked above has been updated with more information. It now seems more explicitly clear that containerd v2 is needed.

containerd v1.7 is not compatible with the userns support in Kubernetes v1.27 to v1.30. Kubernetes v1.25 and v1.26 used an earlier implementation that is compatible with containerd v1.7, in terms of userns support.