The talk is about user namespaces and the delegation of control of C groups in container orchestration systems. The speaker starts by explaining the concept of containers and container standards. They mention that containers use operating system level virtualization and discuss various technologies used in Linux containers. They also talk about the OpenContainer initiative, which defines standards for containers in the free software ecosystem. The speaker then moves on to discuss Kubernetes, a container orchestration platform, and its terminology and architecture. They explain how containers are executed on nodes and the role of the container runtime interface. They mention that Cryo and Containerd are implementations of the container runtime interface. They then discuss OpenShift, a Kubernetes container platform supported by Red Hat, and its integration with Cryo and Runc. The speaker explains that OpenShift uses SE Linux and namespaces for confinement and isolation, and introduces the concept of user namespaces. They highlight the benefits of using user namespaces, including improved workload isolation and the ability to run legacy applications securely. The speaker then demonstrates the use of user namespaces in OpenShift and Kubernetes. They show a pod specification with annotations to enable user namespaces and explain how the mappings are defined. They also demonstrate the use of systemd-based workloads in containers. The speaker further discusses Cgroups and how OpenShift creates unique Cgroups for each container. They explain the need for modifying the container runtime to chown the Cgroup to the container's process UID. They describe the semantics for Cgroup ownership in a container and how it is implemented in RunC. The speaker concludes the talk by stating that Cgroups v2 is not yet the default in OpenShift but is supported. They also mention that the use of user namespaces in OpenShift is an alpha feature and discuss some limitations and challenges. The speaker then invites questions from the audience.