Enable shared PID namespace by default for docker pods

[verb]

What this PR does / why we need it: This PR enables PID namespace sharing for docker pods by default, bringing the behavior of docker in line with the other CRI runtimes when used with docker >= 1.13.1.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): ref #1615

Special notes for your reviewer: cc @dchen1107 @yujuhong

Release note:

Kubernetes now shares a single PID namespace among all containers in a pod when running with docker >= 1.13.1. This means processes can now signal processes in other containers in a pod, but it also means that the `kubectl exec {pod} kill 1` pattern will cause the pod to be restarted rather than a single container.

[k8s-reviewable]

This change is 

[k8s-ci-robot]

Hi @verb. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with @k8s-bot ok to test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[spiffxp]

@k8s-bot ok to test

[yujuhong]

@verb, the experimental flag was just introduced 4 days ago in #41583. Why changing them now?

[verb]

@yujuhong the plan in the original proposal was to change the default behavior but provide an "escape hatch". When it became clear that Docker 1.13.1 would not be qualified for 1.6, @dchen1107 asked to make it experimental opt-in.

That CL (#41583) didn't merge in time for 1.6. Since it already had an LGTM I decided to just let it merge (I didn't realize at the time I was going to have to get additional LGTMs because of rebasing) and follow up with a CL to change the default behavior for 1.7.

Anyway, I'm just implementing the initial proposal, but I'm happy to revisit the rollout plan.

[verb]

Update ftr: @yujuhong, @dchen1107 and I met offline and agreed to make this a default for 1.7, so this PR is just waiting for review.

[yujuhong]

/lgtm

[verb]

@k8s-bot kops aws e2e test this
@k8s-bot gce etcd3 e2e test this

[dchen1107]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dchen1107, verb, yujuhong

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubelet/OWNERS [dchen1107,yujuhong]
• hack/verify-flags/OWNERS [dchen1107]
• pkg/apis/componentconfig/OWNERS [dchen1107]
• pkg/kubelet/OWNERS [dchen1107,yujuhong]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[verb]

@k8s-bot kops aws e2e test this

[k8s-github-robot]

Automatic merge from submit-queue

[krmayankk]

@verb why was it experimental earlier and what makes it non experimental now. is there more documentation on how to use it ? Do we need to enable in kubelet earlier ?

[verb]

@krmayankk lack of defined process. It is automatically enabled for supported docker versions, >= 1.13.1. Note that 1.13.1 has not been qualified for use with Kubernetes yet. See kubernetes/community#207 for additional details of the rollout.