Hello Everybody, I often run containers with the following mapping: podman run --uidmap 0:1:1000 --gidmap 0:1:1000 --uidmap 1000:0:1 --gidmap 1000:0:1 --uidmap 1001:1002:64535 --gidmap 1001:1002:64535 --name foo -it localhost/bar bash The reason is that "bar" image is build from containerfile that has user "foobar" and that user is configured to run processes ("USER foobar" in the containerfile) in containers run from the image. The mapping above makes sure that foobar user has same ID in the container host as the user that runs containers on that host (my user account). Could you please tell me is it possible to specify such uidmap/gidmap in Pod yaml? I tried to run a container with the given uidmap/gidmap in a Pod and then "podman generate kube abc" but that didn't give me any extra properties that would configure uidmap/gidmap. Thank you. Kind regards, Rudolf Vesely _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io

Giuseppe Scrivano <gscrivan(a)redhat.com&gt; wrote: > On 9/7/22 06:02, Rudolf Vesely via Podman wrote: > > > Hello Everybody, > > > > I often run containers with the following mapping: > > > > podman run --uidmap 0:1:1000 --gidmap 0:1:1000 --uidmap 1000:0:1 --gidmap 1000:0:1 --uidmap 1001:1002:64535 --gidmap 1001:1002:64535 --name foo -it localhost/bar bash > > > > The reason is that "bar" image is build from containerfile that has > > user "foobar" and that user is configured to run processes ("USER > > foobar" in the containerfile) in containers run from the image. > > > > The mapping above makes sure that foobar user has same ID in the container host as the user that runs containers on that host (my user account). > > > > Could you please tell me is it possible to specify such uidmap/gidmap in Pod yaml? > > > > I tried to run a container with the given uidmap/gidmap in a Pod and then "podman generate kube abc" but that didn't give me any extra properties that would configure uidmap/gidmap. > > > > Thank you. > > > > Kind regards, > > > > Rudolf Vesely > > _______________________________________________ > > Podman mailing list -- podman(a)lists.podman.io > > To unsubscribe send an email to podman-leave(a)lists.podman.io > > I don't believe this mapping is possible yet in Kubernetes. Giuseppe > is the one who would know the current state of User Namespace support > in Kube. > user namespace support will be in Kubernetes 1.25 but it won't be possible to specify the mappings. It will only possible to specify that the pod will run in a distinct user namespace. The implementation is similar to our --userns=auto:size=65536 option. We will want to plug that, although we probably want a different size when used in rootless mode as 65536 will consume all the available IDs.