From 69e270f509c0141d67f82cbce5ad039a57fe2625 Mon Sep 17 00:00:00 2001
From: Rodrigo Campos <rodrigoca@microsoft.com>
Date: Tue, 11 Mar 2025 15:33:22 +0100
Subject: [PATCH] pkg/kubelet: Explain why a user is required to get userns
 kubelet mappings

Signed-off-by: Rodrigo Campos <rodrigoca@microsoft.com>
---
 pkg/kubelet/kubelet_pods.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/kubelet/kubelet_pods.go b/pkg/kubelet/kubelet_pods.go
index 8db4ab4b459..968df18e431 100644
--- a/pkg/kubelet/kubelet_pods.go
+++ b/pkg/kubelet/kubelet_pods.go
@@ -131,6 +131,12 @@ func (kl *Kubelet) getKubeletMappings() (uint32, uint32, error) {
 		return defaultFirstID, defaultLen, nil
 	}
 
+	// We NEED to check for the user because getsubids can be configured to gather the response
+	// with a remote call and we can't distinguish between the remote endpoint not being reachable
+	// and the remote endpoint is reachable but no entry is present for the user.
+	// So we check for the kubelet user first, if it exist and getsubids is present, we expect
+	// to get _some_ configuration. If the user exist and getsubids doesn't give us any
+	// configuration, then we consider the remote down and fail to start the kubelet.
 	_, err := user.Lookup(kubeletUser)
 	if err != nil {
 		var unknownUserErr user.UnknownUserError