[Enhancement]: Add support for user namespace containers

[scholzj]

Related problem

When supported by the environment, Kubernetes allows running Pod containers in user namespaces (different from Kubernetes namespaces). This help to improve the security isolation and might help to protect applications against some CVEs. You can read more about it in this blog post: https://kubernetes.io/blog/2025/04/25/userns-enabled-by-default/

I tried it in a modified Strimzi codebase. And it seems to work fine with Strimzi. But there is currently no way to enable it in Strimzi.

Suggested solution

We should try to add support for user-namespaces as an optional thing. Two ways how to implement it come my mind:

• Add the hostUsers field to the PodTemplate and allow users to configure it for each Pod. This seems to be the simplest solution. But it seems likely that users would want to configure it the same way for all Strimzi Pods and not just for some of them?
• Add it to the PodSecurityProviders. While it is not part of the security context, it is related to security, and it would allow to configure it from a single place for all Pods.

Alternatives

No response

Additional context

No response

[im-konge]

Triaged on 29.5.2025: Makes sense to have this implement, but it requires a proposal.

[ShubhamKJha]

@scholzj @im-konge let me know if it is still required. I would like to contribute here, and will raise a proposal by the end of week.

[jcpunk]

As a note, hostUsers doesn't work in kind.

[scholzj]

FYI: I put together a quick proposal for this: strimzi/proposals#189