Skip to content

error mounting "sysfs" to rootfs at "/sys" when creating pod with hostUsers: false and privileged:true with kind #5309

Description

@yesdeepakverma

Description

with hostUsers: false, kubernetes now allows you to run your container inside usernamespace.

Complete error: (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "d8a0dc04ebcc8ad4f3121228ef6cc0af77fa3f95639b535b4d627836e6153385": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted

Steps to reproduce the issue

  1. Install kind > v0.31
  2. create a kind cluster kind create cluster
  3. run a pod with below sample yaml
apiVersion: v1
kind: Pod
metadata:
  name: pod-privledged-userns
spec:
  hostUsers: false
  containers:
  - name: shell
    command: ["sleep", "infinity"]
    image: debian
    securityContext:
      privileged: true
  1. run pod describe command kubectl describe pod pod-privledged-userns
Name:             pod-privledged-userns
Namespace:        default
Priority:         0
Service Account:  default
Node:             kind-0-32-control-plane/172.18.0.3
Start Time:       Tue, 02 Jun 2026 23:31:43 +0000
Labels:           <none>
Annotations:      <none>
Status:           Pending
IP:               
IPs:              <none>
Containers:
  shell:
    Container ID:  
    Image:         debian
    Image ID:      
    Port:          <none>
    Host Port:     <none>
    Command:
      sleep
      infinity
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-wpf9b (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   False 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  kube-api-access-wpf9b:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    Optional:                false
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason                  Age                   From               Message
  ----     ------                  ----                  ----               -------
  Normal   Scheduled               24m                   default-scheduler  Successfully assigned default/pod-privledged-userns to kind-0-32-control-plane
  Warning  FailedCreatePodSandBox  24m                   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "fdb24c2cf32851f995f94b3e2c374c8f4dc7fd4df3dcd199ba386ae3ca2806e0": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
  Warning  FailedCreatePodSandBox  24m                   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "4fc0ea354ea6b3d8f78c08b41babaee52b036920feb026511ef17b7e203a532d": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted
  Warning  FailedCreatePodSandBox  23m                   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to start sandbox "5c5b9341a16a21fa09fcb379164bf13e6e16b15237b7affed77daa4477347a70": failed to create containerd task: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "sysfs" to rootfs at "/sys": mount src=sysfs, dst=/sys, dstFd=/proc/thread-self/fd/11, flags=MS_NOSUID|MS_NODEV|MS_NOEXEC: operation not permitted

Describe the results you received and expected

  1. pod should be created with privileged: true and hostUsers: false

when setting hostUsers: false, the sysfs volume should be mounted(or not mounted) as if the privileged: false

What version of runc are you using?

root@kind-0-32-control-plane:/# runc --version
runc version 1.4.2
commit: v1.4.2-0-gc241c0b
spec: 1.3.0
go: go1.26.3
libseccomp: 2.6.0

Host OS information

root@kind-0-32-control-plane:/# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 13 (trixie)"
NAME="Debian GNU/Linux"
VERSION_ID="13"
VERSION="13 (trixie)"
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.5
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

Host kernel information

root@kind-0-32-control-plane:/# uname -a
Linux kind-0-32-control-plane 7.0.0-15-generic #15-Ubuntu SMP PREEMPT_DYNAMIC Wed Apr 22 15:54:12 UTC 2026 aarch64 GNU/Linux

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions