vdemeester
diff --git a/‎config/300-crds/300-pipelinerun.yaml‎
Lines changed: 48 additions & 0 deletions b/‎config/300-crds/300-pipelinerun.yaml‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎config/300-crds/300-taskrun.yaml‎
Lines changed: 24 additions & 0 deletions b/‎config/300-crds/300-taskrun.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎docs/podtemplates.md‎
Lines changed: 10 additions & 6 deletions b/‎docs/podtemplates.md‎
Lines changed: 10 additions & 6 deletions
diff --git a/‎pkg/apis/pipeline/pod/template.go‎
Lines changed: 15 additions & 0 deletions b/‎pkg/apis/pipeline/pod/template.go‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/pod/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions b/‎pkg/apis/pipeline/pod/zz_generated.deepcopy.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/v1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/apis/pipeline/v1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/v1/swagger.json‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/pipeline/v1/swagger.json‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/v1alpha1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/apis/pipeline/v1alpha1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/v1alpha1/swagger.json‎
Lines changed: 4 additions & 0 deletions b/‎pkg/apis/pipeline/v1alpha1/swagger.json‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎pkg/apis/pipeline/v1beta1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions b/‎pkg/apis/pipeline/v1beta1/openapi_generated.go‎
Lines changed: 7 additions & 0 deletions
@@ -330,6 +330,18 @@ spec:
                     hostNetwork:
                       description: HostNetwork specifies whether the pod may use the node network namespace
                       type: boolean
+                    hostUsers:
+                      description: |-
+                        HostUsers indicates whether the pod will use the host's user namespace.
+                        Optional: Default to true.
+                        If set to true or not present, the pod will be run in the host user namespace, useful
+                        for when the pod needs a feature only available to the host user namespace, such as
+                        loading a kernel module with CAP_SYS_MODULE.
+                        When set to false, a new user namespace is created for the pod. Setting false
+                        is useful to mitigating container breakout vulnerabilities such as allowing
+                        containers to run as root without their user having root privileges on the host.
+                        This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                      type: boolean
                     imagePullSecrets:
                       description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                       type: array
@@ -1139,6 +1151,18 @@ spec:
                           hostNetwork:
                             description: HostNetwork specifies whether the pod may use the node network namespace
                             type: boolean
+                          hostUsers:
+                            description: |-
+                              HostUsers indicates whether the pod will use the host's user namespace.
+                              Optional: Default to true.
+                              If set to true or not present, the pod will be run in the host user namespace, useful
+                              for when the pod needs a feature only available to the host user namespace, such as
+                              loading a kernel module with CAP_SYS_MODULE.
+                              When set to false, a new user namespace is created for the pod. Setting false
+                              is useful to mitigating container breakout vulnerabilities such as allowing
+                              containers to run as root without their user having root privileges on the host.
+                              This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                            type: boolean
                           imagePullSecrets:
                             description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                             type: array
@@ -3477,6 +3501,18 @@ spec:
                           hostNetwork:
                             description: HostNetwork specifies whether the pod may use the node network namespace
                             type: boolean
+                          hostUsers:
+                            description: |-
+                              HostUsers indicates whether the pod will use the host's user namespace.
+                              Optional: Default to true.
+                              If set to true or not present, the pod will be run in the host user namespace, useful
+                              for when the pod needs a feature only available to the host user namespace, such as
+                              loading a kernel module with CAP_SYS_MODULE.
+                              When set to false, a new user namespace is created for the pod. Setting false
+                              is useful to mitigating container breakout vulnerabilities such as allowing
+                              containers to run as root without their user having root privileges on the host.
+                              This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                            type: boolean
                           imagePullSecrets:
                             description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                             type: array
@@ -4113,6 +4149,18 @@ spec:
                         hostNetwork:
                           description: HostNetwork specifies whether the pod may use the node network namespace
                           type: boolean
+                        hostUsers:
+                          description: |-
+                            HostUsers indicates whether the pod will use the host's user namespace.
+                            Optional: Default to true.
+                            If set to true or not present, the pod will be run in the host user namespace, useful
+                            for when the pod needs a feature only available to the host user namespace, such as
+                            loading a kernel module with CAP_SYS_MODULE.
+                            When set to false, a new user namespace is created for the pod. Setting false
+                            is useful to mitigating container breakout vulnerabilities such as allowing
+                            containers to run as root without their user having root privileges on the host.
+                            This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                          type: boolean
                         imagePullSecrets:
                           description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                           type: array
 
@@ -358,6 +358,18 @@ spec:
                     hostNetwork:
                       description: HostNetwork specifies whether the pod may use the node network namespace
                       type: boolean
+                    hostUsers:
+                      description: |-
+                        HostUsers indicates whether the pod will use the host's user namespace.
+                        Optional: Default to true.
+                        If set to true or not present, the pod will be run in the host user namespace, useful
+                        for when the pod needs a feature only available to the host user namespace, such as
+                        loading a kernel module with CAP_SYS_MODULE.
+                        When set to false, a new user namespace is created for the pod. Setting false
+                        is useful to mitigating container breakout vulnerabilities such as allowing
+                        containers to run as root without their user having root privileges on the host.
+                        This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                      type: boolean
                     imagePullSecrets:
                       description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                       type: array
@@ -2558,6 +2570,18 @@ spec:
                     hostNetwork:
                       description: HostNetwork specifies whether the pod may use the node network namespace
                       type: boolean
+                    hostUsers:
+                      description: |-
+                        HostUsers indicates whether the pod will use the host's user namespace.
+                        Optional: Default to true.
+                        If set to true or not present, the pod will be run in the host user namespace, useful
+                        for when the pod needs a feature only available to the host user namespace, such as
+                        loading a kernel module with CAP_SYS_MODULE.
+                        When set to false, a new user namespace is created for the pod. Setting false
+                        is useful to mitigating container breakout vulnerabilities such as allowing
+                        containers to run as root without their user having root privileges on the host.
+                        This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+                      type: boolean
                     imagePullSecrets:
                       description: ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified
                       type: array
 
@@ -117,12 +117,16 @@ Pod templates support fields listed in the table below.
                 pulling a container image</a>.</td>
 		</tr>
 		<tr>
-			<td><code>hostNetwork</code></td>
-			<td><b>Default:</b> <code>false</code>. Determines whether to use the host network namespace.</td>
-		</tr>
-		<tr>
-			<td><code>hostAliases</code></td>
-			<td>Adds entries to a Pod's `/etc/hosts` to provide Pod-level overrides of hostnames. For further info see [Kubernetes' docs for this field](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/).</td>
+            <td><code>hostNetwork</code></td>
+            <td><b>Default:</b> <code>false</code>. Determines whether to use the host network namespace.</td>
+        </tr>
+        <tr>
+            <td><code>hostUsers</code></td>
+            <td><b>Default:</b> <code>true</code>. Determines whether to use the host's user namespace. When set to <code>false</code>, a new user namespace is created for the pod, providing better security isolation. This is useful for mitigating container breakout vulnerabilities. This field is alpha-level and requires the <code>UserNamespacesSupport</code> feature gate to be enabled on the Kubernetes cluster (available in Kubernetes 1.25+).</td>
+        </tr>
+        <tr>
+            <td><code>hostAliases</code></td>
+            <td>Adds entries to a Pod's `/etc/hosts` to provide Pod-level overrides of hostnames. For further info see [Kubernetes' docs for this field](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/).</td>
 		</tr>
         <tr>
             <td><code>topologySpreadConstraints</code></td>
 
@@ -132,6 +132,18 @@ type Template struct {
 	// +optional
 	HostNetwork bool `json:"hostNetwork,omitempty"`
 
+	// HostUsers indicates whether the pod will use the host's user namespace.
+	// Optional: Default to true.
+	// If set to true or not present, the pod will be run in the host user namespace, useful
+	// for when the pod needs a feature only available to the host user namespace, such as
+	// loading a kernel module with CAP_SYS_MODULE.
+	// When set to false, a new user namespace is created for the pod. Setting false
+	// is useful to mitigating container breakout vulnerabilities such as allowing
+	// containers to run as root without their user having root privileges on the host.
+	// This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.
+	// +optional
+	HostUsers *bool `json:"hostUsers,omitempty"`
+
 	// TopologySpreadConstraints controls how Pods are spread across your cluster among
 	// failure-domains such as regions, zones, nodes, and other user-defined topology domains.
 	// +optional
@@ -229,6 +241,9 @@ func MergePodTemplateWithDefault(tpl, defaultTpl *PodTemplate) *PodTemplate {
 		if !tpl.HostNetwork && defaultTpl.HostNetwork {
 			tpl.HostNetwork = true
 		}
+		if tpl.HostUsers == nil {
+			tpl.HostUsers = defaultTpl.HostUsers
+		}
 		if tpl.TopologySpreadConstraints == nil {
 			tpl.TopologySpreadConstraints = defaultTpl.TopologySpreadConstraints
 		}
 
@@ -95,6 +95,10 @@
           "description": "HostNetwork specifies whether the pod may use the node network namespace",
           "type": "boolean"
         },
+        "hostUsers": {
+          "description": "HostUsers indicates whether the pod will use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new user namespace is created for the pod. Setting false is useful to mitigating container breakout vulnerabilities such as allowing containers to run as root without their user having root privileges on the host. This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.",
+          "type": "boolean"
+        },
         "imagePullSecrets": {
           "description": "ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified",
           "type": "array",
 
@@ -95,6 +95,10 @@
           "description": "HostNetwork specifies whether the pod may use the node network namespace",
           "type": "boolean"
         },
+        "hostUsers": {
+          "description": "HostUsers indicates whether the pod will use the host's user namespace. Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace, useful for when the pod needs a feature only available to the host user namespace, such as loading a kernel module with CAP_SYS_MODULE. When set to false, a new user namespace is created for the pod. Setting false is useful to mitigating container breakout vulnerabilities such as allowing containers to run as root without their user having root privileges on the host. This field depends on the kubernetes feature gate UserNamespacesSupport being enabled.",
+          "type": "boolean"
+        },
         "imagePullSecrets": {
           "description": "ImagePullSecrets gives the name of the secret used by the pod to pull the image if specified",
           "type": "array",