hashicorp · fatmcgav · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -0,0 +1,7 @@
+```release-note:enhancement
+Add User Namespaces support to following resources:
+* `kubernetes_daemon_set_v1`
+* `kubernetes_deployment_v1`
+* `kubernetes_pod_v1`
+* `kubernetes_stateful_set_v1`
+```
@@ -140,7 +140,7 @@ func resourceKubernetesDaemonSetSchemaV1() map[string]*schema.Schema {
 		},
 		"wait_for_rollout": {
 			Type:        schema.TypeBool,
-			Description: "Wait for the rollout of the deployment to complete. Defaults to true.",
+			Description: "Wait for the rollout of the daemon set to complete. Defaults to true.",
 			Default:     true,
 			Optional:    true,
 		},

@@ -218,6 +218,35 @@ func TestAccKubernetesDaemonSetV1_initContainer(t *testing.T) {
 	})
 }
 
+func TestAccKubernetesDaemonSetV1_host_users(t *testing.T) {
+	name := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "kubernetes_daemon_set_v1.test"
+	imageName := busyboxImage
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			skipIfClusterVersionLessThan(t, "1.25.0") // User namespaces is beta in 1.25
+		},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesDaemonSetV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesDaemonSetV1ConfigHostUsers(name, imageName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "true"),
+				),
+			},
+			{
+				Config: testAccKubernetesDaemonSetV1ConfigHostUsers(name, imageName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccKubernetesDaemonSetV1_noTopLevelLabels(t *testing.T) {
 	var conf appsv1.DaemonSet
 	resourceName := "kubernetes_daemon_set_v1.test"
@@ -1394,3 +1423,34 @@ func testAccKubernetesDaemonSetV1ConfigMinimalWithTemplateNamespace(name, imageN
 }
 `, name, imageName)
 }
+
+func testAccKubernetesDaemonSetV1ConfigHostUsers(name, image string, hostUsers bool) string {
+	return fmt.Sprintf(`
+resource "kubernetes_daemon_set_v1" "test" {
+  metadata {
+    name = "%s"
+  }
+  spec {
+    selector {
+      match_labels = {
+        app = "tf-acc-test"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "tf-acc-test"
+        }
+      }
+      spec {
+        host_users = %t
+        container {
+          image = "%s"
+          name  = "test"
+        }
+      }
+    }
+  }
+}
+`, name, hostUsers, image)
+}
@@ -692,6 +692,35 @@ func TestAccKubernetesDeploymentV1_with_container_security_context_seccomp_local
 	})
 }
 
+func TestAccKubernetesDeploymentV1_host_users(t *testing.T) {
+	name := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "kubernetes_deployment_v1.test"
+	imageName := busyboxImage
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			skipIfClusterVersionLessThan(t, "1.25.0") // User namespaces is beta in 1.25
+		},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesDeploymentV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesDeploymentV1ConfigHostUsers(name, imageName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "true"),
+				),
+			},
+			{
+				Config: testAccKubernetesDeploymentV1ConfigHostUsers(name, imageName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccKubernetesDeploymentV1_with_volume_mount(t *testing.T) {
 	var conf appsv1.Deployment
 
@@ -3247,3 +3276,35 @@ func testAccKubernetesDeploymentV1ConfigWithResourceFieldSelector(rcName, imageN
 }
 `, rcName, imageName, resourceName, divisor)
 }
+
+func testAccKubernetesDeploymentV1ConfigHostUsers(name, image string, hostUsers bool) string {
+	return fmt.Sprintf(`
+resource "kubernetes_deployment_v1" "test" {
+  metadata {
+    name = "%s"
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "tf-acc-test"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "tf-acc-test"
+        }
+      }
+      spec {
+        host_users = %t
+        container {
+          image = "%s"
+          name  = "test"
+        }
+      }
+    }
+  }
+}
+`, name, hostUsers, image)
+}
@@ -753,6 +753,35 @@ func TestAccKubernetesPodV1_with_container_security_context(t *testing.T) {
 	})
 }
 
+func TestAccKubernetesPodV1_host_users(t *testing.T) {
+	name := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "kubernetes_pod_v1.test"
+	imageName := busyboxImage
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			skipIfClusterVersionLessThan(t, "1.25.0") // User namespaces is beta in 1.25
+		},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesPodV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesPodV1ConfigHostUsers(name, imageName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.host_users", "true"),
+				),
+			},
+			{
+				Config: testAccKubernetesPodV1ConfigHostUsers(name, imageName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.host_users", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccKubernetesPodV1_with_volume_mount(t *testing.T) {
 	var conf api.Pod
 
@@ -3672,3 +3701,20 @@ resource "kubernetes_pod_v1" "test" {
 }
 `, secretName, podName, imageName)
 }
+
+func testAccKubernetesPodV1ConfigHostUsers(name, image string, hostUsers bool) string {
+	return fmt.Sprintf(`
+resource "kubernetes_pod_v1" "test" {
+  metadata {
+    name = "%s"
+  }
+  spec {
+    host_users = %t
+    container {
+      image = "%s"
+      name  = "test"
+    }
+  }
+}
+`, name, hostUsers, image)
+}
@@ -336,6 +336,35 @@ func TestAccKubernetesStatefulSetV1_Update(t *testing.T) {
 	})
 }
 
+func TestAccKubernetesStatefulSetV1_host_users(t *testing.T) {
+	name := acctest.RandomWithPrefix("tf-acc-test")
+	resourceName := "kubernetes_stateful_set_v1.test"
+	imageName := busyboxImage
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			skipIfClusterVersionLessThan(t, "1.25.0") // User namespaces is beta in 1.25
+		},
+		ProviderFactories: testAccProviderFactories,
+		CheckDestroy:      testAccCheckKubernetesStatefulSetV1Destroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccKubernetesStatefulSetV1ConfigHostUsers(name, imageName, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "true"),
+				),
+			},
+			{
+				Config: testAccKubernetesStatefulSetV1ConfigHostUsers(name, imageName, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "spec.0.template.0.spec.0.host_users", "false"),
+				),
+			},
+		},
+	})
+}
+
 func TestAccKubernetesStatefulSetV1_waitForRollout(t *testing.T) {
 	var conf1, conf2 appsv1.StatefulSet
 	imageName := busyboxImage
@@ -1478,3 +1507,36 @@ func testAccKubernetesStatefulSetV1ConfigMinimalWithTemplateNamespace(name, imag
 }
 `, name, imageName)
 }
+
+func testAccKubernetesStatefulSetV1ConfigHostUsers(name, image string, hostUsers bool) string {
+	return fmt.Sprintf(`
+resource "kubernetes_stateful_set_v1" "test" {
+  metadata {
+    name = "%s"
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "tf-acc-test"
+      }
+    }
+	service_name = "nginx"
+    template {
+      metadata {
+        labels = {
+          app = "tf-acc-test"
+        }
+      }
+      spec {
+        host_users = %t
+        container {
+          image = "%s"
+          name  = "test"
+        }
+      }
+    }
+  }
+}
+`, name, hostUsers, image)
+}
@@ -186,7 +186,6 @@ func podSpecFields(isUpdatable, isComputed bool) map[string]*schema.Schema {
 			Default:     conditionalDefault(!isComputed, false),
 			Description: "Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified.",
 		},
-
 		"host_pid": {
 			Type:        schema.TypeBool,
 			Optional:    true,
@@ -195,7 +194,14 @@ func podSpecFields(isUpdatable, isComputed bool) map[string]*schema.Schema {
 			Default:     conditionalDefault(!isComputed, false),
 			Description: "Use the host's pid namespace.",
 		},
-
+		"host_users": {
+			Type:        schema.TypeBool,
+			Optional:    true,
+			Computed:    isComputed,
+			ForceNew:    !isUpdatable,
+			Default:     conditionalDefault(!isComputed, true),
+			Description: "Use the host's user namespace. Optional: Defaults to true.",
+		},
 		"hostname": {
 			Type:        schema.TypeString,
 			Optional:    true,

@@ -91,6 +91,9 @@ func flattenPodSpec(in v1.PodSpec, isTemplate bool) ([]interface{}, error) {
 	att["host_ipc"] = in.HostIPC
 	att["host_network"] = in.HostNetwork
 	att["host_pid"] = in.HostPID
+	if in.HostUsers != nil {
+		att["host_users"] = *in.HostUsers
+	}
 
 	if in.Hostname != "" {
 		att["hostname"] = in.Hostname
@@ -795,6 +798,9 @@ func expandPodSpec(p []interface{}) (*v1.PodSpec, error) {
 	if v, ok := in["host_pid"]; ok {
 		obj.HostPID = v.(bool)
 	}
+	if v, ok := in["host_users"]; ok {
+		obj.HostUsers = ptr.To(v.(bool))
+	}
 
 	if v, ok := in["hostname"]; ok {
 		obj.Hostname = v.(string)