running CI here to make sure nothing unexpected fails

Codecov Report

Merging #5610 (82b8cef) into main (d0df46c) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

❗ Current head 82b8cef differs from pull request most recent head 7287318. Consider uploading reports for the commit 7287318 to get more accurate results

@@            Coverage Diff             @@
##             main    #5610      +/-   ##
==========================================
- Coverage   43.24%   43.22%   -0.03%     
==========================================
  Files         123      123              
  Lines       12220    12224       +4     
==========================================
- Hits         5285     5284       -1     
- Misses       6427     6432       +5     
  Partials      508      508              

/test integration_rhel

/retest-required

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fgiudici, giuseppe, haircommander

The full list of commands accepted by this bot can be found here.

The pull request process is described here

/retest-required

Please review the full test history for this PR and help us cut down flakes.

although I am not sure about the security implications. For using a host namespace, the container is already privileged. AFAIK, runc has already the same check and it was added to the last release of crun as well.

yeah I waiver between this being moderate and low severity. most kubernetes clusters don't do anything to prevent users from using host namespaces (until updated PSP, which is fairly new), which makes it more nefarious for upstream consumers (OCP has SCC, which mitigates this). However, the underlying principle is that a container affects the host in a way that wasn't really intended, which does feel like a container breakout

/cherry-pick release-1.23

@haircommander: once the present PR merges, I will cherry-pick it on top of release-1.23 in a new PR and assign it to you.

/retest-required

Please review the full test history for this PR and help us cut down flakes.

@haircommander: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Full PR test history. Your PR dashboard.

/override ci/prow/e2e-agnostic

@haircommander: Overrode contexts on behalf of haircommander: ci/prow/e2e-agnostic

/override ci/openshift-jenkins/integration_rhel

@haircommander: Overrode contexts on behalf of haircommander: ci/openshift-jenkins/integration_rhel

@haircommander: new pull request created: #5615

/cherry-pick release-1.22

@haircommander: new pull request created: #5616

/cherry-pick release-1.21

@haircommander: #5610 failed to apply on top of branch "release-1.21":

Applying: server: skip sysctls that would affect the host
Using index info to reconstruct a base tree...
M	server/sandbox_run_linux.go
Falling back to patching base and 3-way merge...
Auto-merging server/sandbox_run_linux.go
CONFLICT (content): Merge conflict in server/sandbox_run_linux.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 server: skip sysctls that would affect the host
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".