{"id":13587981,"url":"https://github.com/rootless-containers/usernetes","last_synced_at":"2026-01-17T09:01:45.932Z","repository":{"id":37677644,"uuid":"141435447","full_name":"rootless-containers/usernetes","owner":"rootless-containers","description":"Kubernetes without the root privileges","archived":false,"fork":false,"pushed_at":"2025-12-18T08:15:21.000Z","size":1011,"stargazers_count":944,"open_issues_count":26,"forks_count":68,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-12-21T14:26:47.288Z","etag":null,"topics":["containerd","cri-o","docker","kubernetes","rootless-containers"],"latest_commit_sha":null,"homepage":"https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2033-kubelet-in-userns-aka-rootless","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootless-containers.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2018-07-18T13:01:15.000Z","updated_at":"2025-12-21T14:06:34.000Z","dependencies_parsed_at":"2024-06-02T20:21:22.385Z","dependency_job_id":"7e136674-17f6-4601-9cff-a0539ff36af4","html_url":"https://github.com/rootless-containers/usernetes","commit_stats":null,"previous_names":[],"tags_count":55,"template":false,"template_full_name":null,"purl":"pkg:github/rootless-containers/usernetes","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Fusernetes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Fusernetes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Fusernetes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Fusernetes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootless-containers","download_url":"https://codeload.github.com/rootless-containers/usernetes/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootless-containers%2Fusernetes/sbom","scorecard":{"id":784634,"data":{"date":"2025-08-11","repo":{"name":"github.com/rootless-containers/usernetes","commit":"d0eb4ed14d591839fa911b3c086fcb2d23cfbe03"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.1,"checks":[{"name":"Code-Review","score":0,"reason":"Found 1/13 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":3,"reason":"3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/main.yaml:1","Info: topLevel permissions set to 'read-all': .github/workflows/reusable-multi-node.yaml:34","Info: topLevel permissions set to 'read-all': .github/workflows/reusable-single-node.yaml:29","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-multi-node.yaml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/usernetes/reusable-multi-node.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/reusable-multi-node.yaml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/usernetes/reusable-multi-node.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-multi-node.yaml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/usernetes/reusable-multi-node.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/reusable-single-node.yaml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/rootless-containers/usernetes/reusable-single-node.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:5","Warn: downloadThenRun not pinned by hash: init-host/init-host.root.sh:75","Warn: downloadThenRun not pinned by hash: .github/workflows/reusable-single-node.yaml:65","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 containerImage dependencies pinned","Info:   0 out of   2 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-23T05:45:53.830Z","repository_id":37677644,"created_at":"2025-08-23T05:45:53.830Z","updated_at":"2025-08-23T05:45:53.830Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28504596,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T06:57:29.758Z","status":"ssl_error","status_checked_at":"2026-01-17T06:56:03.931Z","response_time":85,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containerd","cri-o","docker","kubernetes","rootless-containers"],"created_at":"2024-08-01T15:06:27.177Z","updated_at":"2026-01-17T09:01:45.867Z","avatar_url":"https://github.com/rootless-containers.png","language":"Shell","funding_links":[],"categories":["Shell","docker","Cluster Provisioning \u0026 Lifecycle"],"sub_categories":[],"readme":"# Usernetes: Kubernetes without the root privileges (Generation 2)\n\nUsernetes (Gen2) deploys a Kubernetes cluster inside [Rootless Docker](https://rootlesscontaine.rs/getting-started/docker/),\nso as to mitigate potential container-breakout vulnerabilities.\n\n\u003e [!NOTE]\n\u003e\n\u003e Usernetes (Gen2) has *significantly* diverged from the original Usernetes (Gen1),\n\u003e which did not require Rootless Docker to be installed on hosts.\n\u003e\n\u003e See the [`gen1`](https://github.com/rootless-containers/usernetes/tree/gen1) branch for\n\u003e the original Usernetes (Gen1).\n\nUsernetes (Gen2) is similar to [Rootless `kind`](https://kind.sigs.k8s.io/docs/user/rootless/) and [Rootless minikube](https://minikube.sigs.k8s.io/docs/drivers/docker/),\nbut Usernetes (Gen 2) supports creating a cluster with multiple hosts.\n\n## Components\n- Cluster configuration: kubeadm\n- CRI: containerd\n- OCI: runc\n- CNI: Flannel\n\n## Requirements\n\n- One of the following host operating system:\n\n|Host operating system|Minimum version|\n|---------------------|---------------|\n|Ubuntu (recommended) |22.04          |\n|Rocky Linux          |9              |\n|AlmaLinux            |9              |\n|Fedora               |(?)            |\n\n- One of the following container engines:\n\n|Container Engine                                                                    |Minimum version|\n|------------------------------------------------------------------------------------|---------------|\n|[Rootless Docker](https://rootlesscontaine.rs/getting-started/docker/) (recommended)|v20.10         |\n|[Rootless Podman](https://rootlesscontaine.rs/getting-started/podman/)              |v4.x           |\n|[Rootless nerdctl](https://rootlesscontaine.rs/getting-started/containerd/)         |v1.6           |\n\n```bash\ncurl -o install.sh -fsSL https://get.docker.com\nsudo sh install.sh\ndockerd-rootless-setuptool.sh install\n```\n\n- systemd lingering:\n```bash\nsudo loginctl enable-linger $(whoami)\n```\n\n- cgroup v2 delegation:\n```bash\nsudo mkdir -p /etc/systemd/system/user@.service.d\n\nsudo tee /etc/systemd/system/user@.service.d/delegate.conf \u003c\u003cEOF \u003e/dev/null\n[Service]\nDelegate=cpu cpuset io memory pids\nEOF\n\nsudo systemctl daemon-reload\n```\n\n- Kernel modules:\n```\nsudo tee /etc/modules-load.d/usernetes.conf \u003c\u003cEOF \u003e/dev/null\nbr_netfilter\nvxlan\nEOF\n\nsudo systemctl restart systemd-modules-load.service\n```\n\n- sysctl:\n```\nsudo tee /etc/sysctl.d/99-usernetes.conf \u003c\u003cEOF \u003e/dev/null\nnet.ipv4.conf.default.rp_filter = 2\nEOF\n\nsudo sysctl --system\n```\n\n- slirp4netns, not Pasta:\n```\n# Podman v5 (or later) users have to change the network mode from pasta to slirp4netns.\n# This step is not needed for Docker, nerdctl, and Podman v4.\n\nmkdir -p \"$HOME/.config/containers/containers.conf.d\"\ncat \u003c\u003cEOF \u003e\"$HOME/.config/containers/containers.conf.d/slirp4netns.conf\"\n[network]\ndefault_rootless_network_cmd=\"slirp4netns\"\nEOF\n```\n\u003c!--\npasta does not seem to work well\n\n\u003e 2024-12-02T17:15:40.070018488Z stderr F E1202 17:15:40.068621       1 main.go:228] Failed to create SubnetManager:\n\u003e error retrieving pod spec for 'kube-flannel/kube-flannel-ds-ms2d9': Get \"https://10.96.0.1:443/api/v1/namespaces/kube-flannel/pods/kube-flannel-ds-ms2d9\":\n\u003e dial tcp 10.96.0.1:443: i/o timeout\n--\u003e\n\nUse scripts in [`./init-host`](./init-host) for automating these steps.\n\n## Usage\nSee `make help`.\n\n```bash\n# Bootstrap a cluster\nmake up\nmake kubeadm-init\nmake install-flannel\n\n# Enable kubectl\nmake kubeconfig\nexport KUBECONFIG=$(pwd)/kubeconfig\nkubectl get pods -A\n\n# Multi-host\nmake join-command\nscp join-command another-host:~/usernetes\nssh another-host make -C ~/usernetes up kubeadm-join\nmake sync-external-ip\n\n# Debug\nmake logs\nmake shell\nmake kubeadm-reset\nmake down-v\nkubectl taint nodes --all node-role.kubernetes.io/control-plane-\n```\n\nThe container engine defaults to Docker.\nTo change the container engine, set `export CONTAINER_ENGINE=podman` or `export CONTAINER_ENGINE=nerdctl`.\n\n### Customization\n\nThe following environment variables are recognized:\n\nName                  | Type    | Default value\n----------------------|---------|----------------------------------------------------------------\n`CONTAINER_ENGINE`    | String  | automatically resolved to \"docker\", \"podman\", or \"nerdctl\"\n`HOST_IP`             | String  | automatically resolved to the host's IP address\n`NODE_NAME`           | String  | \"u7s-\" + the host's hostname\n`NODE_SUBNET`         | String  | \"10.100.%d.0/24\" (%d is computed from the hash of the hostname)\n`PORT_ETCD`           | Integer | 2379\n`PORT_KUBELET`        | Integer | 10250\n`PORT_FLANNEL`        | Integer | 8472\n`PORT_KUBE_APISERVER` | Integer | 6443\n\n## Limitations\n- Node ports cannot be exposed automatically. Edit [`docker-compose.yaml`](./docker-compose.yaml) for exposing additional node ports.\n- Most of host files are not visible with `hostPath` mounts. Edit [`docker-compose.yaml`](./docker-compose.yaml) for mounting additional files.\n- Some [volume drivers](https://kubernetes.io/docs/concepts/storage/volumes/) such as `nfs` do not work.\n\n## Advanced topics\n### Network\nWhen `CONTAINER_ENGINE` is set to `nerdctl`, [bypass4netns](https://github.com/rootless-containers/bypass4netns) can be enabled for accelerating `connect(2)` syscalls.\nThe acceleration currently does not apply to VXLAN packets.\n\n```bash\ncontainerd-rootless-setuptool.sh install-bypass4netnsd\nexport CONTAINER_ENGINE=nerdctl\nmake up\n```\n\n\u003e [!NOTE]\n\u003e\n\u003e The support for bypass4netns is still experimental\n\n### Multi-tenancy\n\nMultiple users on the hosts may create their own instances of Usernetes, but the port numbers have to be changed to avoid conflicts.\n\n```bash\n# Default: 2379\nexport PORT_ETCD=12379\n# Default: 10250\nexport PORT_KUBELET=20250\n# Default: 8472\nexport PORT_FLANNEL=18472\n# Default: 6443\nexport PORT_KUBE_APISERVER=16443\n\nmake up\n```\n\n![docs/images/multi-tenancy.png](./docs/images/multi-tenancy.png)\n\n### Rootful mode\nAlthough Usernetes (Gen2) is designed to be used with Rootless Docker, it should work with the regular \"rootful\" Docker too.\nThis might be useful for some people who are looking for \"multi-host\" version of [`kind`](https://kind.sigs.k8s.io/) and [minikube](https://minikube.sigs.k8s.io/).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootless-containers%2Fusernetes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootless-containers%2Fusernetes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootless-containers%2Fusernetes/lists"}