Description
with hostUsers: false, kubernetes now allows you to run your container inside usernamespace.
Complete error: (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "d8a0dc04ebcc8ad4f3121228ef6cc0af77fa3f95639b535b4d627836e6153385": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
Steps to reproduce the issue
- Install kind > v0.31
- create a kind cluster
kind create cluster
- run a pod with below sample yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-privledged-userns
spec:
hostUsers: false
containers:
- name: shell
command: ["sleep", "infinity"]
image: debian
securityContext:
privileged: true
- run pod describe command
kubectl describe pod pod-privledged-userns
Name: pod-privledged-userns
Namespace: default
Priority: 0
Service Account: default
Node: kind-0-32-control-plane/172.18.0.3
Start Time: Tue, 02 Jun 2026 23:31:43 +0000
Labels: <none>
Annotations: <none>
Status: Pending
IP:
IPs: <none>
Containers:
shell:
Container ID:
Image: debian
Image ID:
Port: <none>
Host Port: <none>
Command:
sleep
infinity
State: Waiting
Reason: ContainerCreating
Ready: False
Restart Count: 0
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wpf9b (ro)
Conditions:
Type Status
PodReadyToStartContainers False
Initialized True
Ready False
ContainersReady False
PodScheduled True
Volumes:
kube-api-access-wpf9b:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
Optional: false
DownwardAPI: true
QoS Class: BestEffort
Node-Selectors: <none>
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 24m default-scheduler Successfully assigned default/pod-privledged-userns to kind-0-32-control-plane
Warning FailedCreatePodSandBox 24m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "fdb24c2cf32851f995f94b3e2c374c8f4dc7fd4df3dcd199ba386ae3ca2806e0": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
Warning FailedCreatePodSandBox 24m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "4fc0ea354ea6b3d8f78c08b41babaee52b036920feb026511ef17b7e203a532d": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
Warning FailedCreatePodSandBox 23m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "5c5b9341a16a21fa09fcb379164bf13e6e16b15237b7affed77daa4477347a70": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
Describe the results you received and expected
- pod should be created with privileged: true and hostUsers: false
when setting hostUsers: false, the sysfs volume should be mounted(or not mounted) as if the privileged: false
What version of runc are you using?
root@kind-0-32-control-plane:/# runc --version
runc version 1.4.2
commit: v1.4.2-0-gc241c0b
spec: 1.3.0
go: go1.26.3
libseccomp: 2.6.0
Host OS information
root@kind-0-32-control-plane:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.5
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Host kernel information
root@kind-0-32-control-plane:/# uname -a
Linux kind-0-32-control-plane 7.0.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC Wed Apr 22 15:54:12 UTC 2026 aarch64 GNU/Linux
Description
with hostUsers: false, kubernetes now allows you to run your container inside usernamespace.
Complete error: (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "d8a0dc04ebcc8ad4f3121228ef6cc0af77fa3f95639b535b4d627836e6153385": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
Steps to reproduce the issue
kind create clusterkubectl describe pod pod-privledged-usernsDescribe the results you received and expected
when setting hostUsers: false, the sysfs volume should be mounted(or not mounted) as if the privileged: false
What version of runc are you using?
root@kind-0-32-control-plane:/# runc --version
runc version 1.4.2
commit: v1.4.2-0-gc241c0b
spec: 1.3.0
go: go1.26.3
libseccomp: 2.6.0
Host OS information
root@kind-0-32-control-plane:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.5
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
Host kernel information
root@kind-0-32-control-plane:/# uname -a
Linux kind-0-32-control-plane 7.0.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC Wed Apr 22 15:54:12 UTC 2026 aarch64 GNU/Linux