Nic Cope

We may be able to leverage gVisor to run functions inside our (typically unprivileged) container by using `runsc run --rootless` per https://github.com/google/gvisor/pull/6581. I haven't tested this though - we'll likely...

@sergenyalcin just a heads up, I've been reading up on this a bit and hope to take a shot at a prototype today.

Regarding my previous comment about gVisor - I'm thinking that gVisor (runsc) and/or regular runc are probably not the best approaches, at least to begin with. As far as I...

@sergenyalcin Nice! I took a shot at integrating something very similar into Crossplane at https://github.com/negz/crossplane/commit/b537cc62cbb258525d44947525a812350c040a49. How are you feeling about the chroot vs CronJob approach at this point?

> I am feeling that choosing the chroot approach will be better. This is also where I'm leaning. I'm going to fill out the design document today to capture the...

I've been working on the design (https://github.com/crossplane/crossplane/pull/2886) and struggling to explain why we can't use https://rootlesscontaine.rs rather than a simple chroot. In theory it should work, but in practice I've...

I've been testing a prototype based on user namespaces and noticed that Docker's default seccomp profile actually denies the `unshare` syscall (i.e. prevents us from creating a new user namespace)....

@bobh66 Do you want to move forward with this PR given @chlunde's proposed alternatives? I tend to agree with @chlunde that it would be nicer to fix the specific issue...

> I have two managed resources where one depends on the other. Can you give an example of the nature of the dependency? > Some provider implementation are kind of...

@valorl I do like the idea that EKS should clean up after itself, but unfortunately this only seems to be the most common/painful instance of the problem. I note for...