KEP-127: Small clarification about phase II security guarantees

Even though phase II is not being targeted for 1.25 and we need to
further discuss with the community phase II before we can think of
implementing it.

Signed-off-by: Rodrigo Campos <[email protected]>

Author: rata

keps/sig-node/127-user-namespaces/README.md

@@ -389,6 +389,12 @@ listed vulnerabilities (as the host is protected from the container). It is also
 a trivial next-step to take, given that we have phase 1 implemented: just return
 the same mapping if the pod has other volumes.
 
+While these pods do not use a distinct user namespace mapping, they are still
+using a new user namespace object in the kernel (so they cannot join/attack
+other pods namespaces). Security-wise this is a middle layer between what we
+have today (no userns at all) and using a distinct UID/GID mapping for the user
+namespace.
+
 #### Phase 3: TBD
 
 #### Unresolved