feat(deploy/chart): adding hostUsers property to pods

[hjoshi123]

Pull Request Motivation

Fixes #7885

Refer to https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/ for more context on the feature.

Kind

/kind feature

Release Note

added experimental field `hostUsers` flag to all pods. Not set by default.

[hawksight]

Hey @hjoshi123, thanks for taking the time to add this. I think there are 2 issues or points to discuss:

1. I think you can se with and coalesce helm functions here to minimise the YAML. For example, a similar global vs specific values here: https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/templates/startupapicheck-job.yaml#L79-L84 - (goal - less YAML / maintainability)
2. Given that this is default in 1.33 which is current minus 1, we might want to enable this is a way where we don't specify it by default. For example .Values.global.hostUsers: "" to make it blank. In which case, no YAML. Unless you can prove that providing the default value of hostUsers: false works on k8s 1.29 (from our supported releases for v1.18). If it works on a 1.29 kind cluster set to false, then we can ignore this point. - (goal - maintain support for all supported versions / backwards compatibility)

[hjoshi123]

Hey @hjoshi123, thanks for taking the time to add this. I think there are 2 issues or points to discuss:

1. I think you can se with and coalesce helm functions here to minimise the YAML. For example, a similar global vs specific values here: https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/templates/startupapicheck-job.yaml#L79-L84 - (goal - less YAML / maintainability)
2. Given that this is default in 1.33 which is current minus 1, we might want to enable this is a way where we don't specify it by default. For example .Values.global.hostUsers: "" to make it blank. In which case, no YAML. Unless you can prove that providing the default value of hostUsers: false works on k8s 1.29 (from our supported releases for v1.18). If it works on a 1.29 kind cluster set to false, then we can ignore this point. - (goal - maintain support for all supported versions / backwards compatibility)

@hawksight yes it does make sense to use with here I think.. I can refactor the code and try to make it better.
On the second point, my intention was to only put the hostUsers field when its true; this way if the value is false then the field doesn't show up in the spec at all so we don't have to worry about compatibility issues below 1.33. 1.33 has the hostUsers field false by default.

[hjoshi123]

Also, I am not sure if coalesce can handle booleans, was reading the documentation to make sure and they seem to mention lists

[hawksight]

@hjoshi123 - I'll join stand up today to talk about it hopefully, you are probably right.

I did a quick test in kind 1.27:

➜  cert-manager git:(feat/user-namespace-feature) ✗ k explain deployment.spec.template.spec.hostUsers
GROUP:      apps
KIND:       Deployment
VERSION:    v1

FIELD: hostUsers <boolean>


DESCRIPTION:
    Use the host's user namespace. Optional: Default to true. If set to true or
    not present, the pod will be run in the host user namespace, useful for when
    the pod needs a feature only available to the host user namespace, such as
    loading a kernel module with CAP_SYS_MODULE. When set to false, a new userns
    is created for the pod. Setting false is useful for mitigating container
    breakout vulnerabilities even allowing users to run their containers as root
    without actually having root privileges on the host. This field is
    alpha-level and is only honored by servers that enable the
    UserNamespacesSupport feature.


➜  cert-manager git:(feat/user-namespace-feature) ✗ k version
Client Version: v1.34.0
Kustomize Version: v5.7.1
Server Version: v1.27.13
Warning: version difference between client (1.34) and server (1.27) exceeds the supported minor version skew of +/-1

It's confusingly worded I find:

Optional: Default to true. If set to true or not present, the pod will be run in the host user namespace...

When set to false, a new userns is created for the pod.

I actually think we want to default it to false, unless someone explicitly needs it true.
I guess we need to check with maintainers to see if there are any host user namespace capabilities needed. My gut says no.

[hawksight]

If we assume we want to set it to a safe default of "false", then the logic could be shorter:

      {{- if hasKey .Values.cainjector "hostUsers" }}
      hostUsers: {{ .Values.cainjector.hostUsers }}
      {{- else }}
      hostUsers: {{ .Values.global.hostUsers }}
      {{- end }}

[hjoshi123]

If we assume we want to set it to a safe default of "false", then the logic could be shorter:

      {{- if hasKey .Values.cainjector "hostUsers" }}

      hostUsers: {{ .Values.cainjector.hostUsers }}

      {{- else }}

      hostUsers: {{ .Values.global.hostUsers }}

      {{- end }}

Ah yes that makes it simpler. So it is a valid field in 1.27 too then. I will make the change. Thank you @hawksight

[hjoshi123]

@hawksight changed the code.. could you take a look at it again?

[hjoshi123]

/release-note-edit

added `hostUsers` flag to all pods. Defaults to false. 

[hjoshi123]

/retest

[hjoshi123]

not sure why the tests are failing.. locally all tests seem to be running..
/retest

[hawksight]

/retest
/lgtm

[hjoshi123]

I lean towards the first option and adding comments about how to use the false value if required. This way users can be prepared if they want to. The default value for this field is true after 1.33 anyway. And then once its GA we can mark it as false. WDYT?

Not sure if I understand. 😅 We use cert-manager, and I don't want to have the hostUsers field set at all in the pod template. At least not until all supported K8s versions understand it.

Ah I understand now.. so we make the field optional then i.e. not set any value at all and then add comments about the fact that its an experimental feature? I understand what you are arriving at but still confused how i would implement it 😅

[erikgb]

Ah I understand now.. so we make the field optional then i.e. not set any value at all and then add comments about the fact that its an experimental feature? I understand what you are arriving at but still confused how i would implement it 😅

That's a typical Helm issue. I think you need to distinguish between an unset value and the false value. There must be some way of doing this in Helm......

[hjoshi123]

@erikgb pushed some changes according to our discussions.. the comments may not be that polished so let me know if it needs changing

[erikgb]

Thanks a lot for working on this, @hjoshi123. It's a very interesting subject, and I am glad we spent some time deciding on where to go here. Your solution looks good now, and I hope both you and @hawksight agree?

I've added a suggestion to the value docs. The last part is no longer correct, and I think the text was a bit hard to read. With a little help from ChatGPT, I put in a suggestion. Feel free to adjust.

/approve

[cert-manager-prow]

@hjoshi123: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cert-manager-master-license	7c5a26a	link	false	/test pull-cert-manager-master-license
pull-cert-manager-master-e2e-v1-33	cbc99c8	link	true	/test pull-cert-manager-master-e2e-v1-33
pull-cert-manager-master-e2e-v1-33-upgrade	cbc99c8	link	true	/test pull-cert-manager-master-e2e-v1-33-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[erikgb]

Great work, @hjoshi123! 🚀

/lgtm
/approve

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: erikgb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [erikgb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[erikgb]

/hold

Can you update release notes, please?

[erikgb]

/unhold

[hjoshi123]

/release-note-edit

added experimental field `hostUsers` flag to all pods. Not set by default.

[wallrj-cyberark]

@hjoshi123 We have released this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1

[jcpunk]

Adding a note here: kind doesn't work with hostUsers: false. So while I fully support making user namespaces the default, I'll need a way to continue testing my environment in kind...