Summary
This issue is to track future support for running rootless container-image build validation jobs on eks-prow-build, specifically for a Kubespray presubmit that currently tries to validate test-infra/image-builder without pushing images.
It is mainly a tracking issue so the current limitation and the future path are documented.
Context
We are working on this Kubespray presubmit:
The validation flow is:
- download the cloud image
- convert/resize it to qcow2
- wrap it into a container image
- validate that build path in CI without pushing
What is failing today
We first tried local BuildKit in rootful mode, but it failed in the Prow sandbox with mount permission errors.
We then tried rootless BuildKit, but the node environment reports that user namespaces are disabled:
user namespaces are disabled on this node; rootless BuildKit cannot run
Example failed logs:
What I found in k8s.io
The eks-prow-build cluster is Bottlerocket-based:
https://github.com/kubernetes/k8s.io/blob/master/kubernetes/eks-prow-build/kube-system/ec2nodeclass.yaml
Current configured sysctls there are:
[settings.kernel.sysctl]
"fs.inotify.max_user_watches" = "1048576"
"fs.inotify.max_user_instances" = "8192"
"vm.min_free_kbytes" = "540672"
I could not find any config there that sets user.max_user_namespaces.
There is also a sysctl tuning daemonset here:
https://github.com/kubernetes/k8s.io/blob/master/kubernetes/eks-prow-build/kube-system/daemonsets.yaml
but it currently only sets the fs.inotify.* sysctls.
Discussion context
Thanks to Sig-Testing Folks @BenTheElder @upodroid for the discussion and guidance.
Relevant references:
User namespaces docs:
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
Kubernetes v1.36 GA announcement:
https://kubernetes.io/blog/2026/04/23/kubernetes-v1-36-userns-ga/
What this issue is tracking
This issue is meant to track one of these future paths:
- revisiting rootless image-build support on eks-prow-build once Kubernetes 1.36 user namespace support is available end-to-end
- clarifying whether any additional cluster/runtime changes will still be needed for this lane at that time
Summary
This issue is to track future support for running rootless container-image build validation jobs on
eks-prow-build, specifically for a Kubespray presubmit that currently tries to validatetest-infra/image-builderwithout pushing images.It is mainly a tracking issue so the current limitation and the future path are documented.
Context
We are working on this Kubespray presubmit:
https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes-sigs/kubespray/kubespray-presubmits.yaml#L25-L78
image-builder: run validation with Dind kubernetes-sigs/kubespray#13212
The validation flow is:
What is failing today
We first tried local BuildKit in rootful mode, but it failed in the Prow sandbox with mount permission errors.
We then tried rootless BuildKit, but the node environment reports that user namespaces are disabled:
Example failed logs:
What I found in k8s.io
The
eks-prow-build clusteris Bottlerocket-based:https://github.com/kubernetes/k8s.io/blob/master/kubernetes/eks-prow-build/kube-system/ec2nodeclass.yaml
Current configured sysctls there are:
I could not find any config there that sets
user.max_user_namespaces.There is also a sysctl tuning daemonset here:
https://github.com/kubernetes/k8s.io/blob/master/kubernetes/eks-prow-build/kube-system/daemonsets.yaml
but it currently only sets the fs.inotify.* sysctls.
Discussion context
Thanks to Sig-Testing Folks @BenTheElder @upodroid for the discussion and guidance.
Relevant references:
User namespaces docs:
https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
Kubernetes v1.36 GA announcement:
https://kubernetes.io/blog/2026/04/23/kubernetes-v1-36-userns-ga/
What this issue is tracking
This issue is meant to track one of these future paths: