By the end of this you will have a worker node provisioned for user namespaces and a Pod whose in-container root (UID 0) maps to a powerless UID on the host, verified by reading /proc/self/uid_map instead of trusting the Pod spec. Kubernetes v1.36 shipped this as GA on 22 April 2026, and the field that turns it on, hostUsers: false, is the easy part. The node prep underneath it is where people lose an afternoon.
The reason this is worth your time over asking a model to "set up user namespaces": the working knowledge here is too new and too underdocumented for that to help. The kernel floor is 6.3, not the 5.12 everyone quotes. The failure mode when you get a dependency wrong is usually silence, not an error. And the same v1.36 upgrade that makes the feature free also deletes containerd 1.x support out from under you.
Prerequisites
Kubernetes v1.36+. UserNamespacesSupport is GA and on by default, so no feature gate. On v1.33 to v1.35 the feature works but you may still need the gate enabled.
Linux kernel 6.3 or newer on every node. idmap mounts landed in 5.12, but tmpfs idmap support (which kubelet needs for emptyDir and projected volumes) only merged in 6.3. This is the single most-missed requirement.
