From af551636b98c9a4a2319c14dc16e29d3ad540cd3 Mon Sep 17 00:00:00 2001 From: Anatolii Bazko Date: Fri, 6 Feb 2026 12:38:23 +0100 Subject: [PATCH] chore: Add HOST_USERS environment variable support for user namespace configuration Signed-off-by: Anatolii Bazko --- pkg/constants/constants.go | 6 ++++++ pkg/constants/env.go | 6 ++++++ pkg/library/env/workspaceenv.go | 12 ++++++++++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 07b3a4c3d..e587c1592 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -100,6 +100,12 @@ const ( // ProjectCloneDisable specifies that project cloning should be disabled. ProjectCloneDisable = "disable" + + // DefaultHostUsers is the default value for spec.hostUsers in pod security context. + // When true (default), containers run in the host's user namespace. When false, + // Kubernetes creates a dedicated user namespace for the pod (requires user namespace support). + // See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/ + DefaultHostUsers = true ) const ( diff --git a/pkg/constants/env.go b/pkg/constants/env.go index c80a743e3..fcb8ea1fd 100644 --- a/pkg/constants/env.go +++ b/pkg/constants/env.go @@ -34,6 +34,12 @@ const ( // DevWorkspaceIdleTimeout contains env var name which value is the suggested idle timeout DevWorkspaceIdleTimeout = "DEVWORKSPACE_IDLE_TIMEOUT" + // DevWorkspaceHostUsers contains the env var name whose value indicates whether the container + // runs in the host's user namespace. When set to "false", container images should adjust their + // logic to work in a dedicated user namespace (e.g., file permissions, UID/GID handling). + // See: https://github.com/devfile/developer-images/pull/232 + DevWorkspaceHostUsers = "HOST_USERS" + // DevWorkspaceComponentName contains env var name which indicates from which devfile container component // the container is created from. Note the flattened devfile is used to evaluate it. DevWorkspaceComponentName = "DEVWORKSPACE_COMPONENT_NAME" diff --git a/pkg/library/env/workspaceenv.go b/pkg/library/env/workspaceenv.go index 6adf0ab24..4eca2a555 100644 --- a/pkg/library/env/workspaceenv.go +++ b/pkg/library/env/workspaceenv.go @@ -19,12 +19,12 @@ import ( "fmt" "os" - "github.com/devfile/devworkspace-operator/pkg/provision/workspace" - dw "github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2" "github.com/devfile/devworkspace-operator/apis/controller/v1alpha1" devfileConstants "github.com/devfile/devworkspace-operator/pkg/library/constants" + "github.com/devfile/devworkspace-operator/pkg/provision/workspace" corev1 "k8s.io/api/core/v1" + "k8s.io/utils/pointer" "github.com/devfile/devworkspace-operator/pkg/common" "github.com/devfile/devworkspace-operator/pkg/constants" @@ -84,6 +84,14 @@ func commonEnvironmentVariables(workspaceWithConfig *common.DevWorkspaceWithConf }, } + hostUsers := pointer.BoolDeref(workspaceWithConfig.Config.Workspace.HostUsers, constants.DefaultHostUsers) + if !hostUsers { + envvars = append(envvars, corev1.EnvVar{ + Name: constants.DevWorkspaceHostUsers, + Value: "false", + }) + } + envvars = append(envvars, getProxyEnvVars(workspaceWithConfig.Config.Routing.ProxyConfig)...) envvars = append(envvars, getSshAskPassEnvVars()...)