feat: allow users to run coredns in usernamespaces

hegerdes · hegerdes · commit a550e713f655 · 2025-05-29T14:04:54.000+02:00
Signed-off-by: Henrik Gerdes &lt;hegerdes@outlook.de&gt;
diff --git a/charts/coredns/Chart.yaml b/charts/coredns/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: coredns
-version: 1.42.2
+version: 1.42.3
 appVersion: 1.12.0
 home: https://coredns.io
 icon: https://coredns.io/images/CoreDNS_Colour_Horizontal.png
@@ -19,5 +19,5 @@ maintainers:
 type: application
 annotations:
   artifacthub.io/changes: |
-    - kind: removed
-      description: Removed "istcp" true for default dns:// scheme in "coredns.containerPorts" definition.
+    - kind: added
+      description: Add support to run pods in usernamespaces
diff --git a/charts/coredns/README.md b/charts/coredns/README.md
@@ -110,7 +110,7 @@ The command removes all the Kubernetes components associated with the chart and
 | Parameter                                      | Description                                                                                                                               | Default                                                      |
 | :--------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------- |
 | `image.repository`                             | The image repository to pull from                                                                                                         | coredns/coredns                                              |
-| `image.tag`                                    | The image tag to pull from (derived from Chart.yaml)                                                                                      | ``                                                      |
+| `image.tag`                                    | The image tag to pull from (derived from Chart.yaml)                                                                                      | ``                                                           |
 | `image.pullPolicy`                             | Image pull policy                                                                                                                         | IfNotPresent                                                 |
 | `image.pullSecrets`                            | Specify container image pull secrets                                                                                                      | `[]`                                                         |
 | `replicaCount`                                 | Number of replicas                                                                                                                        | 1                                                            |
@@ -143,6 +143,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `isClusterService`                             | Specifies whether chart should be deployed as cluster-service or normal k8s app.                                                          | true                                                         |
 | `priorityClassName`                            | Name of Priority Class to assign pods                                                                                                     | `""`                                                         |
 | `securityContext`                              | securityContext definition for pods                                                                                                       | capabilities.add.NET_BIND_SERVICE                            |
+| `hostUsers`                                    | Specifies whether to use usernamespaces or not                                                                                            | true                                                         |
 | `servers`                                      | Configuration for CoreDNS and plugins                                                                                                     | See values.yml                                               |
 | `livenessProbe.enabled`                        | Enable/disable the Liveness probe                                                                                                         | `true`                                                       |
 | `livenessProbe.initialDelaySeconds`            | Delay before liveness probe is initiated                                                                                                  | `60`                                                         |
@@ -164,7 +165,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `extraVolumes`                                 | Optional array of volumes to create                                                                                                       | []                                                           |
 | `extraVolumeMounts`                            | Optional array of volumes to mount inside the CoreDNS container                                                                           | []                                                           |
 | `extraSecrets`                                 | Optional array of secrets to mount inside the CoreDNS container                                                                           | []                                                           |
-| `env`                                          | Optional array of environment variables for CoreDNS container                                                                           | []                                                           |
+| `env`                                          | Optional array of environment variables for CoreDNS container                                                                             | []                                                           |
 | `customLabels`                                 | Optional labels for Deployment(s), Pod, Service, ServiceMonitor objects                                                                   | {}                                                           |
 | `customAnnotations`                            | Optional annotations for Deployment(s), Pod, Service, ServiceMonitor objects                                                              |
 | `rollingUpdate.maxUnavailable`                 | Maximum number of unavailable replicas during rolling update                                                                              | `1`                                                          |
diff --git a/charts/coredns/templates/deployment.yaml b/charts/coredns/templates/deployment.yaml
@@ -72,6 +72,9 @@ spec:
       {{- if .Values.isClusterService }}
       dnsPolicy: Default
       {{- end }}
+      {{- if not .Values.hostUsers }}
+      hostUsers: false
+      {{- end }}
       {{- if .Values.affinity }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}
diff --git a/charts/coredns/values.yaml b/charts/coredns/values.yaml
@@ -102,6 +102,9 @@ securityContext:
       - ALL
   readOnlyRootFilesystem: true
 
+# Uses users of the host system. If set to false uses usernamespaces. Requires Kubernetes >= 1.33
+hostUsers: true
+
 # Default zone is what Kubernetes recommends:
 # https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#coredns-configmap-options
 servers:
