Kubernetes enables user namespaces GA
- Kubernetes said on April 23 that user namespaces reached general availability in Kubernetes v1.36, a Linux-only release that maps container root to an unprivileged host user instead of host root. - The v1.36 release landed April 22 with user namespaces enabled by default as a stable feature, and the docs say some High and Critical vulnerabilities were not exploitable when it was active. - The feature gives shared clusters a built-in isolation layer without putting every workload in its own virtual machine. (kubernetes.io)
A user namespace is a Linux feature that lets a process look like root inside a container while appearing as an unprivileged user on the host machine. Kubernetes said that capability reached general availability in v1.36. (kubernetes.io 1) (kubernetes.io 2) Kubernetes 1.36 was released on April 22, 2026, and the project’s release notes listed user namespaces among 18 enhancements that graduated to stable. The dedicated feature post followed on April 23. (kubernetes.io 1) (kubernetes.io 2) (kubernetes.io 3) The practical change is a remapping of identities: user ID 0 inside the container no longer has to be user ID 0 on the node. Kubernetes documentation says that reduces the damage a compromised container can do to the host or other pods on the same machine. (kubernetes.io) Kubernetes documents the feature as Linux-only and stable in v1.36, enabled by default. Operators can configure a pod to use a user namespace through the pod spec, and the project provides a task guide for that setup. (kubernetes.io 1) (kubernetes.io 2) The Kubernetes project also tied the feature to specific security outcomes. Its documentation says several vulnerabilities rated High or Critical were not exploitable when user namespaces were active. (kubernetes.io) That matters most in places where many workloads share the same node, including multi-tenant clusters, continuous integration runners, and hosted build systems. The v1.36 release post described user namespaces as a defense-in-depth layer for container isolation and node security. (kubernetes.io) (kubernetes.io) The feature has been a long-running effort inside Kubernetes. The enhancement proposal for user namespaces has been tracked in the project’s enhancements repository, and the April 23 post said the milestone came after several years of development. (github.com) (kubernetes.io) Kubernetes framed the result in plain operational terms: workloads can keep privileges inside their own container boundary while losing equivalent power on the host. In shared clusters, that is the difference between a container break-out becoming a node-level incident or staying contained. (kubernetes.io)
