Should probably change this section.

I am having problems parsing the two options. What's the difference? Is it just the default?

What about "I use systemd in my container and systemd pukes when it is not pid 1" ?

@thockin I'm not sure how this happened, but some of your comments are for an outdated revision and some are current. I suspect you started a review and I updated the doc in the middle of it. Sorry about that.

The latest version of the proposal dropped this section and lists supporting pid == 1 in the goals.

@yujuhong What do you think here?

Do we need this? is shared PID somewhow a security escalation that we might want to deny users?

From the discussion in kubernetes/kubernetes#48937 and kubernetes/kubernetes#1615, people want to be able to use PID namespace separation as a security feature.

Wondering why this is left as a MAY. Can't it be MUST?

+1 for MUST.
I'd rather see the behavior clearly defined in CRI.

MAY is the status quo of no explicit default. I left it MAY for two reasons:

1. Do isolated PID namespaces exist in all runtimes? What do hypervisor runtimes do? What about rkt? I'm not sure since I only use Docker.
2. Do any current runtimes default to shared PID? Do we care about being backwards compatible with them? If yes, then we can't retroactively define a default behavior for v1.Pod, I think.

@yujuhong What do you think about an enum for the CRI? Something like: verb/kubernetes@db76a1b

I've rewritten this section to clearly define the behavior.

@yujuhong What do you think about an enum for the CRI? Something like: verb/kubernetes@db76a1b

Personally I like that better than a set of booleans for toggling the behavior :-) We could name the enum NamespaceType to be more generic.
That is, however, an API breaking change for CRI.

@mrunalp @Random-Liu @feiskyer thoughts?

Ok, great, a default of isolated it is. Good point on the generic name.

Also I realized that we'll need to be able to target a container's namespace for debug containers, which might influence the API design. This could be done as a fourth NamespaceType: verb/kubernetes@48fe4c2

@feiskyer for frakti? @Random-Liu for containerd @mrunalp for cri-o?

At sig-node, we talked about this, and the decision is introducing enum. Thanks!

@yujuhong Enum does look cleaner to me. And we could easily change to use the new enum in cri-containerd.

nit: the default is not really runtime specific. we need the api default to remain isolated across any runtime at this moment.

Oh, I thought the rkt & hypervisor runtimes defaulted to shared PID so making isolated the default could break existing config. I'm happy to define the default as isolated, I was just trying to be careful about backwards compatibility.

I've rewritten this section to clearly define the behavior.

Does it make sense to allow users to use their own custom sandbox image with pid 1 capabilities?

There's nothing preventing users to configure their runtime/shim to use a different image, if the runtime/shim supports it. I don't see we support that in kube/CRI in the near future though.

It'd be great to support such a feature, but I think it would be complicated. That's more towards the "general purpose init" to which I alluded in Non-goals.

+1 for MUST.
I'd rather see the behavior clearly defined in CRI.

The runtime behavior should be move to the next paragraph, together with CRI.

Done

Clarify that default will be False.

Done

I believe this is the internal API object..... The v1.PodSecurityContext does not contain the PID namespace fields...Could you update the text/code here to reflect that?

Whoops, you're right. Updated.

There's nothing preventing users to configure their runtime/shim to use a different image, if the runtime/shim supports it. I don't see we support that in kube/CRI in the near future though.

cc/ @Random-Liu for containerd and @mrunalp for cri-o on CRI changes.

The name leaves something to be desired, even if it is a mirror of hostPID (which itself is not a great name).

I'd probably prefer a name that covers the two important aspects of the flag:

1. that none of the containers will be PID 1
2. that all processes in each container will be able to see each other (and potentially interact)

shareProcessNamespace or something that captures "all containers will be part of the shared namespace" is better than sharedPID.

SGTM. I like the more descriptive name. We'll need to be sure to document well the relationship between shareProcessNamespace and hostPID.

@smarterclayton could you suggest an API reviewer for this change? It'd be nice to loop in that person to the proposal rather than waiting for one to be auto-assigned by the code PR.

Please note the downsides of enabling this shared mode - sidecar containers that were previously isolated are no longer so, environment variables are now visible to all other processes, any "kill all" semantics used within the process are now broken, exec processes from other containers will now show up, etc. This doc should clarify tradeoffs.

Added a section here. Let me know if I missed anything.

Shouldn't this support TARGET too?

Follow-up question: do we want other namespaces to also support TARGET?

It's a bit strange for the other namespaces since they don't support isolation. We don't need to support TARGET for things like network & ipc because POD & NODE are sufficient for the new container to be placed in the correct namespace.

Do we need to allow Sandbox IDs?

Oh, no, and I don't think we want to. Containers should only be able to target their own pod. I'll remove that.

I think the previous subsection is more straightforward, but the introduction of TARGET makes the use case more complex. Could you elaborate a bit more on how the debug container would be configured in CRI?

In CRI today, you'd need to create a container in a PodSandbox, i.e., your debug container needs to join an existing PodSandbox, or you'd need to create a new PodSandbox for it. Are you going to allow pod A to join some of pod B's namespaces, or do you always require the debug container to join the PodSandbox in which the target container resides? What combination of NamespaceOptions and PodSandbox configs are valid?

Containers should not be able to join a namespace from a different pod. We require the debug container to join the sandbox in which the target container resides. I've updated the propose to be explicit about this.

The CRI changes in this subsection looks good to me. It makes the API more clear.

/cc a few CRI runtime maintainers since the change won't be backward compatible.
@Random-Liu @mrunalp @runcom