cri: add rawproc option

Signed-off-by: Jess Frazelle <[email protected]>

contributors/design-proposals/node/cri-rawproc.md

@@ -0,0 +1,35 @@
+# CRI: RawProc Option
+
+## Background
+
+Currently the way docker and most other container runtimes work is by masking
+and setting as read-only certain paths in `/proc`. This is to prevent data
+from being exposed into a container that should not be. However, there are
+certain use-cases where it is necessary to turn this off.
+
+## Motivation
+
+For end-users who would like to run unprivileged containers using user namespaces
+_nested inside_ CRI containers, we need an option to have a `RawProc`. That is,
+to explicitly turn off masking and setting read-only of paths so that we can
+mount `/proc` in the nested container as an unprivileged user.
+
+Please see the following filed issues for more information:
+- [opencontainers/runc#1658](https://github.com/opencontainers/runc/issues/1658#issuecomment-373122073)
+- [moby/moby#36597](https://github.com/moby/moby/issues/36597)
+
+## Implementation
+
+This proposal suggests adding the following to `bool` `LinuxSandboxSecurityContext`:
+
+```
+bool raw_proc
+```
+
+Which will inform the runtimes implementing CRI to not mask or set as read-only
+the paths in `/proc`.
+
+This option would also be exposed as a `bool` to the `securityContext` for
+containers in the form of `rawProc`.
+
+It will be false by default.