Since #158 we've required runtimes to error out if a configuration joins an existing namespace and adjusts it somehow (e.g. joining an existing UTC namespace and setting hostname, #214). However, the wording from #158 (which survives untouched in the current master) only talks about “when a path is specified”. I expect we want to do one of two things for consistency:

a. Lift the OCI restriction and allow join-and-tweak where the kernel supports it. When we landed the current restriction, the main issues seemed to be “we don't have a clear use-case for join and tweak” (although see #305) and “this is a foot gun” (I'd rather leave policy to higher-level config linters).

b. Extend the OCI restriction to all cases where the runtime does not create a new namespace. Besides the already covered “namespace entry exists and includes path”, we'd also want to forbid configs that were missing the relevant namespace(s) entirely (in which case the container inherits the host namespace(s)).

I'm partial to (a) in the long run, but (b) is less of a shift from the current spec and likely a better choice for a pending 1.0. I'm happy to PR text for either option, although the text itself will likely not be much trouble once we decide which course we want to take ;).