Skip to content

Commit 0a3b5f2

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#50288 from Eason1118/patch-user-namespaces
[zh-cn] sync pods/user-namespaces.md
2 parents bd37928 + 9528423 commit 0a3b5f2

File tree

1 file changed

+23
-2
lines changed

1 file changed

+23
-2
lines changed

Diff for: content/zh-cn/docs/concepts/workloads/pods/user-namespaces.md

+23-2
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,18 @@ The kubelet will pick host UIDs/GIDs a pod is mapped to, and will do so in a way
149149
to guarantee that no two pods on the same node use the same mapping.
150150
151151
The `runAsUser`, `runAsGroup`, `fsGroup`, etc. fields in the `pod.spec` always
152-
refer to the user inside the container.
152+
refer to the user inside the container. These users will be used for volume
153+
mounts (specified in `pod.spec.volumes`) and therefore the host UID/GID will not
154+
have any effect on writes/reads from volumes the pod can mount. In other words,
155+
the inodes created/read in volumes mounted by the pod will be the same as if the
156+
pod wasn't using user namespaces.
157+
158+
This way, a pod can easily enable and disable user namespaces (without affecting
159+
its volume's file ownerships) and can also share volumes with pods without user
160+
namespaces by just setting the appropriate users inside the container
161+
(`RunAsUser`, `RunAsGroup`, `fsGroup`, etc.). This applies to any volume the pod
162+
can mount, including `hostPath` (if the pod is allowed to mount `hostPath`
163+
volumes).
153164
154165
The valid UIDs/GIDs when this feature is enabled is the range 0-65535. This
155166
applies to files and processes (`runAsUser`, `runAsGroup`, etc.).
@@ -158,7 +169,17 @@ kubelet 将挑选 Pod 所映射的主机 UID/GID,
158169
并以此保证同一节点上没有两个 Pod 使用相同的方式进行映射。
159170

160171
`pod.spec` 中的 `runAsUser``runAsGroup``fsGroup` 等字段总是指的是容器内的用户。
161-
启用该功能时,有效的 UID/GID 在 0-65535 范围内。这以限制适用于文件和进程(`runAsUser``runAsGroup` 等)。
172+
这些用户将用于卷挂载(在 `pod.spec.volumes` 中指定),
173+
因此,主机上的 UID/GID 不会影响 Pod 挂载卷的读写操作。
174+
换句话说,由 Pod 挂载卷中创建或读取的 inode,将与 Pod 未使用用户命名空间时相同。
175+
176+
通过这种方式,Pod 可以轻松启用或禁用用户命名空间(不会影响其卷中文件的所有权),
177+
并且可以通过在容器内部设置适当的用户(`runAsUser``runAsGroup``fsGroup` 等),
178+
即可与没有用户命名空间的 Pod 共享卷。这一点适用于 Pod 可挂载的任何卷,
179+
包括 `hostPath`(前提是允许 Pod 挂载 `hostPath` 卷)。
180+
181+
启用该功能时,有效的 UID/GID 在 0-65535 范围内。
182+
这适用于文件和进程(`runAsUser``runAsGroup` 等)。
162183

163184
<!--
164185
Files using a UID/GID outside this range will be seen as belonging to the

0 commit comments

Comments
 (0)