From 85be93a18941889567a2fa6f087dff22da88845a Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Thu, 22 Jul 2021 11:17:46 -0700
Subject: [PATCH 01/10] Rebasing HostProcess security changes.

---
 .../security/pod-security-standards.md        |  16 ++
 .../security/windows-pod-security-profile.md  | 225 ++++++++++++++++++
 .../en/docs/concepts/workloads/pods/_index.md |   5 +-
 .../feature-gates.md                          |   2 +
 .../create-hostprocess-container.md           |  52 ++++
 5 files changed, 298 insertions(+), 2 deletions(-)
 create mode 100644 content/en/docs/concepts/security/windows-pod-security-profile.md
 create mode 100644 content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 39fccb4230323..e31b7b51ac015 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -257,6 +257,22 @@ fail validation.
 				</ul>
 			</td>
 		</tr>
+		<tr>
+			<td style="white-space: nowrap">Windows HostProcess</td>
+			<td>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-container">HostProcess containers</a> which enables privileged access to the Windows node. As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li>Undefined/nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
 	</tbody>
 </table>
 
diff --git a/content/en/docs/concepts/security/windows-pod-security-profile.md b/content/en/docs/concepts/security/windows-pod-security-profile.md
new file mode 100644
index 0000000000000..05327bb840011
--- /dev/null
+++ b/content/en/docs/concepts/security/windows-pod-security-profile.md
@@ -0,0 +1,225 @@
+---
+reviewers:
+- tallclair
+title: Windows Pod Security Policy
+description: >
+  Clarification of which pod security policies apply to Windows pods
+content_type: concept
+weight: 10
+---
+
+<!-- overview -->
+
+Windows in Kubernetes has some differentiators from standard Linux-based workloads. Many of the Pod SecurityContext fields [have no effect on
+Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). Windows HostProcess containers also differ from traditional privileged containers, which causes some additional policies to lose their applicability for Windows.
+
+This guide outlines the applicable _policies_ for Windows Pod Security Standards and redefines the [existing profiles](/docs/concepts/security/pod-security-standards) for the Windows context.
+
+| Profile | Description |
+| ------ | ----------- |
+| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for full access to the Windows host |
+| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration while blocking HostProcess container support. |
+| <strong style="white-space: nowrap">Restricted</strong> | Unsupported until a standardized identifier for Windows pods is implemented. Windows pods _may_ be broken by the restricted field, which requires setting linux-specific settings (such as seccomp profile, run as non root, and disallow privilege escalation). If the Kubelet and/or container runtime choose to ignore these linux-specific values at runtime, then windows pods should still be allowed under the restricted profile, although the profile will not add additional enforcement over baseline (for Windows). |
+
+<!-- body -->
+
+## Profile Details
+Each of the profiles below detail which policies must be explicitly set. Any policy **not** in the profile which is also not in the [list of policies](./#policies-ignored-on-windows) ignored by Windows can assume supported configuration on a Windows node.
+
+### Privileged
+
+**As is true in the default Privileged policy, the _Windows Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is aimed at system- and infrastructure-level workloads managed by privileged, trusted users. Pods running under this policy will be limited to only HostProcess containers and will have full visibility into the Windows node.
+
+<table>
+	<caption style="display:none">Privileged policy specification</caption>
+	<tbody>
+		<tr>
+			<td><strong>Control</strong></td>
+			<td><strong>Windows Applicable</strong></td>
+			<td><strong>Policy</strong></td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Windows HostProcess</td>
+			<td>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-container">HostProcess containers</a> which enables privileged access to the Windows node. </p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li><code>true</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Host Namespaces</td>
+			<td>
+				<p>Will be in host network by default initially. Support to set network to a different compartment may be desirable in the future.</p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.hostNetwork</code></li>
+					<li><code>spec.hostPID</code></li>
+					<li><code>spec.hostIPC</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li><code>true</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+### Baseline
+
+**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations.** This policy is targeted at application operators and developers of non-critical applications. The following listed controls should be enforced/disallowed:
+
+<table>
+	<caption style="display:none">Baseline policy specification</caption>
+	<tbody>
+		<tr>
+			<td><strong>Control</strong></td>
+			<td><strong>Policy</strong></td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Windows HostProcess</td>
+			<td>
+				<p>As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li>Undefined/nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Host Namespaces</td>
+			<td>
+				<p>Not applicable. Windows privileged containers will be controlled with a new `WindowsSecurityContextOptions.HostProcess` instead of the existing `privileged` field due to fundamental differences in their implementation on Windows.</p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.hostNetwork</code></li>
+					<li><code>spec.hostPID</code></li>
+					<li><code>spec.hostIPC</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li>Undefined</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+## Policies Ignored on Windows
+Several policies in the Pod Security Standards do not apply to Windows nodes due to architectural differences between Linux and Windows. These policies are as follows:
+
+<table>
+	<caption style="display:none">Privileged policy specification</caption>
+	<tbody>
+		<tr>
+			<td><strong>Control</strong></td>
+			<td><strong>Policy</strong></td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Host Namespaces</td>
+			<td>
+				<p>Windows does not have configurable PID/IPC namespaces (unlike Linux). Windows containers are always assigned their own process namespace. HostProcess containers always run in the host's process namespace. These behaviors are not configurable. Future plans in this area include improvements to enable scheduling pods that can contain both Windows Server and HostProcess containers. These fields would not makes in this scenario because Windows cannot configure PID/IPC namespaces like in Linux.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.hostNetwork</code></li>
+					<li><code>spec.hostPID</code></li>
+					<li><code>spec.hostIPC</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Privileged Containers</td>
+			<td>
+				<p>Not applicable. Windows privileged containers will be controlled with a new `WindowsSecurityContextOptions.HostProcess` instead of the existing `privileged` field due to fundamental differences in their implementation on Windows.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.privileged</code></li>
+					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">Capabilities</td>
+			<td>
+				<p>Windows OS has a concept of “capabilities” (referred to as “privileged constants” but they are not supported in the platform today.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
+					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">AppArmor</td>
+			<td>
+				<p>AppArmor is not supported on Windows nodes.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap">SELinux</td>
+			<td>
+				<p>SELinux is not supported by Windows nodes.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seLinuxOptions.*</code></li>
+					<li><code>spec.containers[*].securityContext.seLinuxOptions.*</code></li>
+					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.*</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><code>/proc</code> Mount Type</td>
+			<td>
+				<p><code>/proc</code> masks are not supported on Windows nodes.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.containers[*].securityContext.procMount</code></li>
+					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+  			<td>Seccomp</td>
+  			<td>
+  				<p>Seccomp is not supported by Windows nodes.</p>
+  				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.seccompProfile.*</code></li>
+					<li><code>spec.containers[*].securityContext.seccompProfile.*</code></li>
+					<li><code>spec.initContainers[*].securityContext.seccompProfile.*</code></li>
+				</ul>
+  			</td>
+  		</tr>
+		<tr>
+			<td style="white-space: nowrap">Sysctls</td>
+			<td>
+				<p>These are part of the Linux sysctl interface, which has no equivalent on Windows.</p>
+				<p><strong>Unsupported Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.sysctls</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+## FAQ
+
diff --git a/content/en/docs/concepts/workloads/pods/_index.md b/content/en/docs/concepts/workloads/pods/_index.md
index 5dd6bac9de6be..3cb432b976a81 100644
--- a/content/en/docs/concepts/workloads/pods/_index.md
+++ b/content/en/docs/concepts/workloads/pods/_index.md
@@ -257,8 +257,9 @@ section.
 
 ## Privileged mode for containers
 
-Any container in a Pod can enable privileged mode, using the `privileged` flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
-Processes within a privileged container get almost the same privileges that are available to processes outside a container.
+Any container in a Pod can enable privileged mode, using either the `privileged` (Linux) or `hostProcess` (Windows) flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
+
+Processes within a either a [Windows HostProcess](/docs/tasks/configure-pod-container/create-hostprocess-container/) or Linux privileged container get almost the same privileges that are available to processes outside a container.
 
 {{< note >}}
 Your {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} must support the concept of a privileged container for this setting to be relevant.
diff --git a/content/en/docs/reference/command-line-tools-reference/feature-gates.md b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
index 6ebc960521e22..c2d9935fd2a73 100644
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -448,6 +448,7 @@ different Kubernetes components.
 | `WindowsGMSA` | `false` | Alpha | 1.14 | 1.15 |
 | `WindowsGMSA` | `true` | Beta | 1.16 | 1.17 |
 | `WindowsGMSA` | `true` | GA | 1.18 | - |
+| `WindowsHostProcessContainers` | `false` | Alpha | 1.22 |
 | `WindowsRunAsUserName` | `false` | Alpha | 1.16 | 1.16 |
 | `WindowsRunAsUserName` | `true` | Beta | 1.17 | 1.17 |
 | `WindowsRunAsUserName` | `true` | GA | 1.18 | - |
@@ -954,6 +955,7 @@ Each feature gate is designed for enabling/disabling a specific feature:
 - `WinDSR`: Allows kube-proxy to create DSR loadbalancers for Windows.
 - `WinOverlay`: Allows kube-proxy to run in overlay mode for Windows.
 - `WindowsGMSA`: Enables passing of GMSA credential specs from pods to container runtimes.
+- `WindowsHostProcessContainers`: Enables support for Windows HostProcess containers.
 - `WindowsRunAsUserName` : Enable support for running applications in Windows containers
   with as a non-default user. See
   [Configuring RunAsUserName](/docs/tasks/configure-pod-container/configure-runasusername)
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md
new file mode 100644
index 0000000000000..da799de7b4d47
--- /dev/null
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md
@@ -0,0 +1,52 @@
+---
+title: Create a Windows HostProcess Container
+content_type: task
+weight: 20
+---
+
+<!-- overview -->
+
+{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+
+Windows HostProcess containers enable you to run containerized administrative workloads on a Windows host. These containers operate as normal processes and have access to the host network namespace, storage, and devices when given the associated user privileges. HostProcess containers can be used to deploy networking policies, storage configurations, device plugins, kube-proxy, and other components to Windows nodes without the need for dedicated proxies or the direct installation of services on the Windows nodes.
+
+Administrative tasks such as installation of security patches, event log collection, and more can be performed without requiring cluster operations to log onto each Window node. HostProcess containers can run as any user that is available on the host or is in the domain of the host machine, allowing administrators to restrict resource access through user permissions. While neither filesystem or process isolation are supported, a new volume is created on the host upon starting the container to give it a clean and consolidated workspace. HostProcess containers can also be built on top of existing Windows base images and do not inherit the same [compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) as Windows server containers.
+
+### When should I use a Windows HostProcess container?
+
+- When you need to perform tasks which require the networking namespace of the host. HostProcess containers have access to the host's network interfaces and IP.
+- You need access to the host's filesystem
+- Installation of specific devices drivers or services
+- Consolidation of administrative tasks and security policies. This reduces the degree of privileges needed by Windows nodes.
+
+### Important Notes
+
+- HostProcess container will **only run via containerd**.
+- As of v1.22 HostProcess containers cannot share the same pod as non-privileged containers. This is a current limitation of the Windows OS; non-privileged containers cannot share a vNIC with the host IP namespace.
+- HostProcess containers run as a process on the host and do not have any degree of isolation other than resource constraints imposed on the HostProcess user account. Neither filesystem or Hyper-V isolation are supported for HostProcess containers.
+- Resource limits (disk, memory, cpu count) are supported in the same fashion as processes on the host.
+- Named pipe mounts will **not** be supported and should instead be accessed via their path on the host (\\.\pipe\*).
+    - Unix domain sockets, however, are supported
+- Volume mounts are supported and are mounted under the container volume.
+- [todo] Skipping host file mounting
+
+<!-- ## {{% heading "prerequisites" %}} //TODO, might have to wait for beta implementation completion
+[todo] Enabling the feature
+
+[todo] Version requirements
+
+## Creating HostProcess containers
+
+[todo] Testing HostProcess containers in a dev environment
+
+[todo] Deploying HostProcess containers
+
+## Choosing a User Account
+
+[todo] Recommended user accounts
+
+[todo] Using runas + changing the user
+
+## Example Specs
+
+[todo] example specs -->

From bc9786a012a7688bb20bca8935f91c3a7db97c6e Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Thu, 22 Jul 2021 14:50:31 -0700
Subject: [PATCH 02/10] Incorporated initial round of feedback

---
 .../security/pod-security-standards.md        |  2 +-
 .../security/windows-pod-security-profile.md  | 81 +++++++++++++++----
 .../en/docs/concepts/workloads/pods/_index.md |  4 +-
 .../create-hostprocess-container.md           | 52 ------------
 .../create-hostprocess-pod.md                 | 75 +++++++++++++++++
 5 files changed, 143 insertions(+), 71 deletions(-)
 delete mode 100644 content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md
 create mode 100644 content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index e31b7b51ac015..4b8d653165bd5 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -260,7 +260,7 @@ fail validation.
 		<tr>
 			<td style="white-space: nowrap">Windows HostProcess</td>
 			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-container">HostProcess containers</a> which enables privileged access to the Windows node. As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
diff --git a/content/en/docs/concepts/security/windows-pod-security-profile.md b/content/en/docs/concepts/security/windows-pod-security-profile.md
index 05327bb840011..11c5140abf318 100644
--- a/content/en/docs/concepts/security/windows-pod-security-profile.md
+++ b/content/en/docs/concepts/security/windows-pod-security-profile.md
@@ -10,25 +10,47 @@ weight: 10
 
 <!-- overview -->
 
-Windows in Kubernetes has some differentiators from standard Linux-based workloads. Many of the Pod SecurityContext fields [have no effect on
-Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). Windows HostProcess containers also differ from traditional privileged containers, which causes some additional policies to lose their applicability for Windows.
+Windows in Kubernetes has some differentiators from standard Linux-based workloads. Many 
+of the Pod SecurityContext fields [have no effect on
+Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/
+#v1-podsecuritycontext). Windows HostProcess containers also differ from traditional 
+privileged containers, which causes some additional policies to lose their applicability 
+for Windows.
 
-This guide outlines the applicable _policies_ for Windows Pod Security Standards and redefines the [existing profiles](/docs/concepts/security/pod-security-standards) for the Windows context.
+This guide outlines the applicable _policies_ for Windows Pod Security Standards and 
+redefines the [existing profiles](/docs/concepts/security/pod-security-standards) for the 
+Windows context.
 
 | Profile | Description |
 | ------ | ----------- |
-| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing the widest possible level of permissions. This policy allows for full access to the Windows host |
-| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy which prevents known privilege escalations. Allows the default (minimally specified) Pod configuration while blocking HostProcess container support. |
-| <strong style="white-space: nowrap">Restricted</strong> | Unsupported until a standardized identifier for Windows pods is implemented. Windows pods _may_ be broken by the restricted field, which requires setting linux-specific settings (such as seccomp profile, run as non root, and disallow privilege escalation). If the Kubelet and/or container runtime choose to ignore these linux-specific values at runtime, then windows pods should still be allowed under the restricted profile, although the profile will not add additional enforcement over baseline (for Windows). |
+| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing 
+the widest possible level of permissions. This policy allows for full access to the 
+Windows host |
+| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy 
+which prevents known privilege escalations. Allows the default (minimally specified) Pod 
+configuration while blocking HostProcess container support. |
+| <strong style="white-space: nowrap">Restricted</strong> | Unsupported until a 
+standardized identifier for Windows pods is implemented. Windows pods _may_ be broken by 
+the restricted field, which requires setting linux-specific settings (such as seccomp 
+profile, run as non root, and disallow privilege escalation). If the Kubelet and/or 
+container runtime choose to ignore these linux-specific values at runtime, then windows 
+pods should still be allowed under the restricted profile, although the profile will not 
+add additional enforcement over baseline (for Windows). |
 
 <!-- body -->
 
 ## Profile Details
-Each of the profiles below detail which policies must be explicitly set. Any policy **not** in the profile which is also not in the [list of policies](./#policies-ignored-on-windows) ignored by Windows can assume supported configuration on a Windows node.
+Each of the profiles below detail which policies must be explicitly set. Any policy 
+**not** in the profile which is also not in the [list of policies](./
+#policies-ignored-on-windows) ignored by Windows can assume supported configuration on a 
+Windows node.
 
 ### Privileged
 
-**As is true in the default Privileged policy, the _Windows Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is aimed at system- and infrastructure-level workloads managed by privileged, trusted users. Pods running under this policy will be limited to only HostProcess containers and will have full visibility into the Windows node.
+**As is true in the default Privileged policy, the _Windows Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is aimed at system- and 
+infrastructure-level workloads managed by privileged, trusted users. Pods running under 
+this policy will be limited to only HostProcess containers and will have full visibility 
+into the Windows node.
 
 <table>
 	<caption style="display:none">Privileged policy specification</caption>
@@ -41,7 +63,7 @@ Each of the profiles below detail which policies must be explicitly set. Any pol
 		<tr>
 			<td style="white-space: nowrap">Windows HostProcess</td>
 			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-container">HostProcess containers</a> which enables privileged access to the Windows node. </p>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. </p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
@@ -56,7 +78,9 @@ Each of the profiles below detail which policies must be explicitly set. Any pol
 		<tr>
 			<td style="white-space: nowrap">Host Namespaces</td>
 			<td>
-				<p>Will be in host network by default initially. Support to set network to a different compartment may be desirable in the future.</p>
+				<p>Will be in host network by default initially. Support 
+				to set network to a different compartment may be desirable in 
+				the future.</p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.hostNetwork</code></li>
@@ -74,7 +98,10 @@ Each of the profiles below detail which policies must be explicitly set. Any pol
 
 ### Baseline
 
-**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations.** This policy is targeted at application operators and developers of non-critical applications. The following listed controls should be enforced/disallowed:
+**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations.** 
+This policy is targeted at application operators and developers of 
+non-critical applications. The following listed controls 
+should be enforced/disallowed:
 
 <table>
 	<caption style="display:none">Baseline policy specification</caption>
@@ -102,7 +129,10 @@ Each of the profiles below detail which policies must be explicitly set. Any pol
 		<tr>
 			<td style="white-space: nowrap">Host Namespaces</td>
 			<td>
-				<p>Not applicable. Windows privileged containers will be controlled with a new `WindowsSecurityContextOptions.HostProcess` instead of the existing `privileged` field due to fundamental differences in their implementation on Windows.</p>
+				<p>Not applicable. Windows privileged containers will be controlled with a 
+				new `WindowsSecurityContextOptions.HostProcess` instead of the existing 
+				`privileged` field due to fundamental differences in their implementation 
+				on Windows.</p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.hostNetwork</code></li>
@@ -120,7 +150,8 @@ Each of the profiles below detail which policies must be explicitly set. Any pol
 </table>
 
 ## Policies Ignored on Windows
-Several policies in the Pod Security Standards do not apply to Windows nodes due to architectural differences between Linux and Windows. These policies are as follows:
+Several policies in the Pod Security Standards do not apply to Windows nodes due to 
+architectural differences between Linux and Windows. These policies are as follows:
 
 <table>
 	<caption style="display:none">Privileged policy specification</caption>
@@ -132,7 +163,21 @@ Several policies in the Pod Security Standards do not apply to Windows nodes due
 		<tr>
 			<td style="white-space: nowrap">Host Namespaces</td>
 			<td>
-				<p>Windows does not have configurable PID/IPC namespaces (unlike Linux). Windows containers are always assigned their own process namespace. HostProcess containers always run in the host's process namespace. These behaviors are not configurable. Future plans in this area include improvements to enable scheduling pods that can contain both Windows Server and HostProcess containers. These fields would not makes in this scenario because Windows cannot configure PID/IPC namespaces like in Linux.</p>
+				<p>Windows does not have configurable PID/IPC 
+				namespaces (unlike Linux). 
+				Windows containers are always assigned their own 
+				process namespace. 
+				HostProcess containers always run in the host's 
+				process namespace. These 
+				behaviors are not configurable. Future plans in this 
+				area include 
+				improvements to enable scheduling pods that can 
+				contain both Windows 
+				Server and HostProcess containers. These fields would 
+				not makes in this 
+				scenario because Windows cannot configure PID/IPC 
+				namespaces like in Linux.
+				</p>
 				<p><strong>Unsupported Fields</strong></p>
 				<ul>
 					<li><code>spec.hostNetwork</code></li>
@@ -144,7 +189,10 @@ Several policies in the Pod Security Standards do not apply to Windows nodes due
 		<tr>
 			<td style="white-space: nowrap">Privileged Containers</td>
 			<td>
-				<p>Not applicable. Windows privileged containers will be controlled with a new `WindowsSecurityContextOptions.HostProcess` instead of the existing `privileged` field due to fundamental differences in their implementation on Windows.</p>
+				<p>Not applicable. Windows privileged containers will be 
+				controlled with a new `WindowsSecurityContextOptions.HostProcess` 
+				instead of the existing `privileged` field due to fundamental 
+				differences in their implementation on Windows.</p>
 				<p><strong>Unsupported Fields</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.privileged</code></li>
@@ -155,7 +203,8 @@ Several policies in the Pod Security Standards do not apply to Windows nodes due
 		<tr>
 			<td style="white-space: nowrap">Capabilities</td>
 			<td>
-				<p>Windows OS has a concept of “capabilities” (referred to as “privileged constants” but they are not supported in the platform today.</p>
+				<p>Windows OS has a concept of “capabilities” (referred to as 
+				“privileged constants” but they are not supported in the platform today.</p>
 				<p><strong>Unsupported Fields</strong></p>
 				<ul>
 					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
diff --git a/content/en/docs/concepts/workloads/pods/_index.md b/content/en/docs/concepts/workloads/pods/_index.md
index 3cb432b976a81..7cae3658303cb 100644
--- a/content/en/docs/concepts/workloads/pods/_index.md
+++ b/content/en/docs/concepts/workloads/pods/_index.md
@@ -257,9 +257,9 @@ section.
 
 ## Privileged mode for containers
 
-Any container in a Pod can enable privileged mode, using either the `privileged` (Linux) or `hostProcess` (Windows) flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
+In Linux, any container in a Pod can enable privileged mode using the `privileged` (Linux) flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
 
-Processes within a either a [Windows HostProcess](/docs/tasks/configure-pod-container/create-hostprocess-container/) or Linux privileged container get almost the same privileges that are available to processes outside a container.
+For Windows clusters with the `WindowsHostProcessContainers` feature enabled, administrators can create a [Windows HostProcess pod](/docs/tasks/configure-pod-container/create-hostprocess-pod) by setting the `windowsOptions.hostProcess` flag on the security context of the container spec. These pods run only Windows HostProcess containers, which run directly on the host and can also be used to perform administrative tasks as is done with Linux privileged containers.
 
 {{< note >}}
 Your {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} must support the concept of a privileged container for this setting to be relevant.
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md
deleted file mode 100644
index da799de7b4d47..0000000000000
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-container.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Create a Windows HostProcess Container
-content_type: task
-weight: 20
----
-
-<!-- overview -->
-
-{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
-
-Windows HostProcess containers enable you to run containerized administrative workloads on a Windows host. These containers operate as normal processes and have access to the host network namespace, storage, and devices when given the associated user privileges. HostProcess containers can be used to deploy networking policies, storage configurations, device plugins, kube-proxy, and other components to Windows nodes without the need for dedicated proxies or the direct installation of services on the Windows nodes.
-
-Administrative tasks such as installation of security patches, event log collection, and more can be performed without requiring cluster operations to log onto each Window node. HostProcess containers can run as any user that is available on the host or is in the domain of the host machine, allowing administrators to restrict resource access through user permissions. While neither filesystem or process isolation are supported, a new volume is created on the host upon starting the container to give it a clean and consolidated workspace. HostProcess containers can also be built on top of existing Windows base images and do not inherit the same [compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) as Windows server containers.
-
-### When should I use a Windows HostProcess container?
-
-- When you need to perform tasks which require the networking namespace of the host. HostProcess containers have access to the host's network interfaces and IP.
-- You need access to the host's filesystem
-- Installation of specific devices drivers or services
-- Consolidation of administrative tasks and security policies. This reduces the degree of privileges needed by Windows nodes.
-
-### Important Notes
-
-- HostProcess container will **only run via containerd**.
-- As of v1.22 HostProcess containers cannot share the same pod as non-privileged containers. This is a current limitation of the Windows OS; non-privileged containers cannot share a vNIC with the host IP namespace.
-- HostProcess containers run as a process on the host and do not have any degree of isolation other than resource constraints imposed on the HostProcess user account. Neither filesystem or Hyper-V isolation are supported for HostProcess containers.
-- Resource limits (disk, memory, cpu count) are supported in the same fashion as processes on the host.
-- Named pipe mounts will **not** be supported and should instead be accessed via their path on the host (\\.\pipe\*).
-    - Unix domain sockets, however, are supported
-- Volume mounts are supported and are mounted under the container volume.
-- [todo] Skipping host file mounting
-
-<!-- ## {{% heading "prerequisites" %}} //TODO, might have to wait for beta implementation completion
-[todo] Enabling the feature
-
-[todo] Version requirements
-
-## Creating HostProcess containers
-
-[todo] Testing HostProcess containers in a dev environment
-
-[todo] Deploying HostProcess containers
-
-## Choosing a User Account
-
-[todo] Recommended user accounts
-
-[todo] Using runas + changing the user
-
-## Example Specs
-
-[todo] example specs -->
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
new file mode 100644
index 0000000000000..d194f8fea6d95
--- /dev/null
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -0,0 +1,75 @@
+---
+title: Create a Windows HostProcess Pod
+content_type: task
+weight: 20
+---
+
+<!-- overview -->
+
+{{< feature-state for_k8s_version="v1.22" state="alpha" >}}
+
+Windows HostProcess containers enable you to run containerized 
+ workloads on a Windows host. These containers operate as 
+normal processes but have access to the host network namespace, 
+storage, and devices when given the appropriate user privileges. 
+HostProcess containers can be used to deploy CNIs, 
+storage configurations, device plugins, kube-proxy, and other 
+components to Windows nodes without the need for dedicated proxies or 
+the direct installation of host services.
+
+Administrative tasks such as installation of security patches, event 
+log collection, and more can be performed without requiring cluster operators to 
+log onto each Window node. HostProcess containers can run as any user that is 
+available on the host or is in the domain of the host machine, allowing administrators 
+to restrict resource access through user permissions. While neither filesystem or process 
+isolation are supported, a new volume is created on the host upon starting the container 
+to give it a clean and consolidated workspace. HostProcess containers can also be built on 
+top of existing Windows base images and do not inherit the same 
+[compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) as Windows server containers.
+
+### When should I use a Windows HostProcess container?
+
+- When you need to perform tasks which require the networking namespace of the host. 
+HostProcess containers have access to the host's network interfaces and IP.
+- You need access to resources on the host such as the filesystem, event logs, etc.
+- Installation of specific devices drivers or services
+- Consolidation of administrative tasks and security policies. This reduces the degree of 
+privileges needed by Windows nodes.
+
+### Important Notes
+
+- HostProcess container will **only run when using version 1.5.4 (or higher) containerd [container runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)**.
+- As of v1.22 HostProcess pods can only run HostProcess containers. This is a current limitation
+ of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
+- HostProcess containers run as a process on the host and do not have any degree of 
+isolation other than resource constraints imposed on the HostProcess user account. Neither 
+filesystem or Hyper-V isolation are supported for HostProcess containers.
+- Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
+on the host.
+- Both Named pipe mounts and Unix domain sockets will **not** be supported and should instead be accessed via their 
+path on the host (e.g. \\.\pipe\*)
+- Volume mounts are supported and are mounted under the container volume.
+- [todo] Skipping host file mounting
+
+ ## {{% heading "prerequisites" %}} //TODO, might have to wait for beta implementation completion
+[todo] Enabling the feature
+
+[todo] Version requirements
+
+## Creating HostProcess containers
+
+[todo] Testing HostProcess containers in a dev environment
+
+[todo] Deploying HostProcess containers
+
+## Volume Mounts
+
+## Choosing a User Account
+
+[todo] Recommended user accounts
+
+[todo] Using runas + changing the user
+
+## Example Manifests
+
+[todo] example specs

From b0db71e3cfbbc2d9254548689f02451f8e118799 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Thu, 22 Jul 2021 15:48:08 -0700
Subject: [PATCH 03/10] Minor wording updates

---
 .../create-hostprocess-pod.md                 | 27 +++++++++++--------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index d194f8fea6d95..3a4f86b313033 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -38,38 +38,43 @@ privileges needed by Windows nodes.
 
 ### Important Notes
 
-- HostProcess container will **only run when using version 1.5.4 (or higher) containerd [container runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)**.
+- HostProcess containers will **only run when using version 1.5.4 (or higher) of the containerd [container runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)**.
 - As of v1.22 HostProcess pods can only run HostProcess containers. This is a current limitation
  of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
 - HostProcess containers run as a process on the host and do not have any degree of 
 isolation other than resource constraints imposed on the HostProcess user account. Neither 
 filesystem or Hyper-V isolation are supported for HostProcess containers.
+- Volume mounts are supported and are mounted under the container volume. See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
+- A limited set of host user accounts are available for HostProcess containers by default. See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
 - Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
 on the host.
-- Both Named pipe mounts and Unix domain sockets will **not** be supported and should instead be accessed via their 
-path on the host (e.g. \\.\pipe\*)
-- Volume mounts are supported and are mounted under the container volume.
-- [todo] Skipping host file mounting
+- Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead be accessed via their 
+path on the host (e.g. \\\\.\\pipe\\\*)
 
- ## {{% heading "prerequisites" %}} //TODO, might have to wait for beta implementation completion
+ ## {{% heading "prerequisites" %}}
+[todo] Version requirements
 [todo] Enabling the feature
+- flags that need to be set 
+- 
 
-[todo] Version requirements
+- list of steps needed to build everything
 
-## Creating HostProcess containers
 
-[todo] Testing HostProcess containers in a dev environment
+## Creating HostProcess containers
 
 [todo] Deploying HostProcess containers
+## Example Manifests
+
+[todo] example specs
 
 ## Volume Mounts
 
+
+
 ## Choosing a User Account
 
 [todo] Recommended user accounts
 
 [todo] Using runas + changing the user
 
-## Example Manifests
 
-[todo] example specs

From e5c8b6a000e12cf3b492acd4f542069405e481b5 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Fri, 23 Jul 2021 11:00:51 -0700
Subject: [PATCH 04/10] Finished up remaining todo items

---
 .../create-hostprocess-pod.md                 | 68 +++++++++++++++----
 1 file changed, 56 insertions(+), 12 deletions(-)

diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index 3a4f86b313033..b2ec1e6ca1f32 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -52,29 +52,73 @@ on the host.
 path on the host (e.g. \\\\.\\pipe\\\*)
 
  ## {{% heading "prerequisites" %}}
-[todo] Version requirements
-[todo] Enabling the feature
-- flags that need to be set 
-- 
+# HostProcess Documentation
 
-- list of steps needed to build everything
+To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to kubelet and kube-apiserver. See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview)documentation for more details.
 
+```
+--feature-gates=WindowsHostProcessContainers=true
+```
 
-## Creating HostProcess containers
+You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd v2 configuration.  Add these annotations to any runtime configurations were you wish to enable the HostProcess Container feature.
 
-[todo] Deploying HostProcess containers
-## Example Manifests
 
-[todo] example specs
+```
+[plugins]
+  [plugins."io.containerd.grpc.v1.cri"]
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
+        container_annotations = ["microsoft.com/hostprocess-container"]
+        pod_annotations = ["microsoft.com/hostprocess-container"]
+    [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process]
+        container_annotations = ["microsoft.com/hostprocess-container"]
+        pod_annotations = ["microsoft.com/hostprocess-container"]
+```
+
+The current versions of containerd ship with a version of hcsshim that does not have support. You will need to build a version of hcsshim from the main branch following the [instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim).  Once the containerd shim is built you can replace the file in your contianerd installation.  For example if you followed the instructions to [install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) replace the `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
+
+We are working to improve this process by enabling HostProcess support directly in [containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) as well as shipping a version of the containerd shim for Windows with support direclty via containerd releases.
+
+
+### Example Manifests
+
+
+```yaml
+spec:
+  securityContext:
+    windowsOptions:
+      hostProcess: true
+      runAsUserName: "NT AUTHORITY\\Local service"
+  hostNetwork: true
+  containers:
+  - name: test
+    image: image1:latest
+    command:
+      - ping
+      - -t
+      - 127.0.0.1
+  nodeSelector:
+    "kubernetes.io/os": windows
+```
 
 ## Volume Mounts
 
+HostProcess containers support the ability to mount volumes within the container volume space. Applications running inside the container can access volume mounts directly via relative or absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` is set upon container creation and provides the absolute host path to the container volume. Relative paths are based upon the `Pod.containers.volumeMounts.mountPath` configuration.
 
+Example: To access service account tokens the following path structures are supported within the container:
 
-## Choosing a User Account
+`\var\run\secrets\kubernetes.io\serviceaccount\`
 
-[todo] Recommended user accounts
+`$CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\`
+
+## Choosing a User Account
 
-[todo] Using runas + changing the user
+Currently HostProcess containers only support the ability to run as one of four supported Windows service accounts:
 
+- **[LocalService](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
+- **[NetworkService](https://docs.microsoft.com/en-us/windows/win32/services/networkservice-account)**
+- **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
+- **[LocalServiceAccount](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 
+Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.) and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 
\ No newline at end of file

From 21af0d55bbe1def86bfc5426de8070a8f7299f54 Mon Sep 17 00:00:00 2001
From: Brandon Smith <BRASMITH@MICROSOFT.COM>
Date: Fri, 23 Jul 2021 11:19:19 -0700
Subject: [PATCH 05/10] Apply suggestions from code review

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
Co-authored-by: Mark Rossetti <marosset@microsoft.com>
---
 content/en/docs/concepts/security/pod-security-standards.md  | 5 ++---
 .../tasks/configure-pod-container/create-hostprocess-pod.md  | 4 ++--
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 4b8d653165bd5..734a2340e3512 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -260,7 +260,7 @@ fail validation.
 		<tr>
 			<td style="white-space: nowrap">Windows HostProcess</td>
 			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
+				<p>Running Windows pods as <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> enables privileged access to the Windows node and should be disallowed.</p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
@@ -268,7 +268,7 @@ fail validation.
 				</ul>
 				<p><strong>Allowed Values</strong></p>
 				<ul>
-					<li>Undefined/nil</li>
+					<li>Undefined/null</li>
 					<li><code>false</code></li>
 				</ul>
 			</td>
@@ -516,4 +516,3 @@ kernel. This allows for workloads requiring heightened permissions to still be i
 Additionally, the protection of sandboxed workloads is highly dependent on the method of
 sandboxing. As such, no single recommended profile is recommended for all sandboxed workloads.
 
-
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index b2ec1e6ca1f32..b1165290c4bc5 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -54,7 +54,7 @@ path on the host (e.g. \\\\.\\pipe\\\*)
  ## {{% heading "prerequisites" %}}
 # HostProcess Documentation
 
-To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to kubelet and kube-apiserver. See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview)documentation for more details.
+To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to **kubelet** and **kube-apiserver**. See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) documentation for more details.
 
 ```
 --feature-gates=WindowsHostProcessContainers=true
@@ -121,4 +121,4 @@ Currently HostProcess containers only support the ability to run as one of four
 - **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
 - **[LocalServiceAccount](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 
-Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.) and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 
\ No newline at end of file
+Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.) and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 

From fe963d168ed8d63472edccaf8116454604ebceb2 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Fri, 23 Jul 2021 15:00:56 -0700
Subject: [PATCH 06/10] Moved HostProcess security documentation into PSS and
 create-host-process-pod docs

---
 .../security/pod-security-standards.md        |  27 +-
 .../security/windows-pod-security-profile.md  | 274 ------------------
 .../create-hostprocess-pod.md                 | 101 ++++++-
 3 files changed, 114 insertions(+), 288 deletions(-)
 delete mode 100644 content/en/docs/concepts/security/windows-pod-security-profile.md

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 734a2340e3512..468be5b296710 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -55,6 +55,24 @@ fail validation.
 			<td><strong>Control</strong></td>
 			<td><strong>Policy</strong></td>
 		</tr>
+		<tr>
+			<td style="white-space: nowrap">HostProcess</td>
+			<td>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. </p>
+				<p><strong>Restricted Fields</strong></p>
+				<ul>
+					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.initContainers[*].securityContext.windowsOptions.hostProcess</code></li>
+					<li><code>spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess</code></li>
+				</ul>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li>Undefined/nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
 		<tr>
 			<td style="white-space: nowrap">Host Namespaces</td>
 			<td>
@@ -499,10 +517,17 @@ ecosystem, such as [OPA Gatekeeper](https://github.com/open-profile-agent/gateke
 ### What profiles should I apply to my Windows Pods?
 
 Windows in Kubernetes has some limitations and differentiators from standard Linux-based
-workloads. Specifically, the Pod SecurityContext fields [have no effect on
+workloads. Specifically, a many of the Pod SecurityContext fields [have no effect on
 Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). As
 such, no standardized Pod Security profiles currently exist.
 
+Windows HostProcess containers can be enabled for the privileged profile, but are explicitly blocked for baseline.
+Windows pods _may_ be broken by the restricted profile, which requires setting linux-specific 
+settings (such as seccomp profile and disallow privilege escalation). If the Kubelet and/or 
+container runtime choose to ignore these linux-specific values at runtime, then windows 
+pods should still be allowed under the restricted profile, although the profile will not 
+add additional enforcement over baseline (for Windows).
+
 ### What about sandboxed Pods?
 
 There is not currently an API standard that controls whether a Pod is considered sandboxed or
diff --git a/content/en/docs/concepts/security/windows-pod-security-profile.md b/content/en/docs/concepts/security/windows-pod-security-profile.md
deleted file mode 100644
index 11c5140abf318..0000000000000
--- a/content/en/docs/concepts/security/windows-pod-security-profile.md
+++ /dev/null
@@ -1,274 +0,0 @@
----
-reviewers:
-- tallclair
-title: Windows Pod Security Policy
-description: >
-  Clarification of which pod security policies apply to Windows pods
-content_type: concept
-weight: 10
----
-
-<!-- overview -->
-
-Windows in Kubernetes has some differentiators from standard Linux-based workloads. Many 
-of the Pod SecurityContext fields [have no effect on
-Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/
-#v1-podsecuritycontext). Windows HostProcess containers also differ from traditional 
-privileged containers, which causes some additional policies to lose their applicability 
-for Windows.
-
-This guide outlines the applicable _policies_ for Windows Pod Security Standards and 
-redefines the [existing profiles](/docs/concepts/security/pod-security-standards) for the 
-Windows context.
-
-| Profile | Description |
-| ------ | ----------- |
-| <strong style="white-space: nowrap">Privileged</strong> | Unrestricted policy, providing 
-the widest possible level of permissions. This policy allows for full access to the 
-Windows host |
-| <strong style="white-space: nowrap">Baseline</strong> | Minimally restrictive policy 
-which prevents known privilege escalations. Allows the default (minimally specified) Pod 
-configuration while blocking HostProcess container support. |
-| <strong style="white-space: nowrap">Restricted</strong> | Unsupported until a 
-standardized identifier for Windows pods is implemented. Windows pods _may_ be broken by 
-the restricted field, which requires setting linux-specific settings (such as seccomp 
-profile, run as non root, and disallow privilege escalation). If the Kubelet and/or 
-container runtime choose to ignore these linux-specific values at runtime, then windows 
-pods should still be allowed under the restricted profile, although the profile will not 
-add additional enforcement over baseline (for Windows). |
-
-<!-- body -->
-
-## Profile Details
-Each of the profiles below detail which policies must be explicitly set. Any policy 
-**not** in the profile which is also not in the [list of policies](./
-#policies-ignored-on-windows) ignored by Windows can assume supported configuration on a 
-Windows node.
-
-### Privileged
-
-**As is true in the default Privileged policy, the _Windows Privileged_ policy is purposely-open, and entirely unrestricted.** This type of policy is aimed at system- and 
-infrastructure-level workloads managed by privileged, trusted users. Pods running under 
-this policy will be limited to only HostProcess containers and will have full visibility 
-into the Windows node.
-
-<table>
-	<caption style="display:none">Privileged policy specification</caption>
-	<tbody>
-		<tr>
-			<td><strong>Control</strong></td>
-			<td><strong>Windows Applicable</strong></td>
-			<td><strong>Policy</strong></td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Windows HostProcess</td>
-			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. </p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>true</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Host Namespaces</td>
-			<td>
-				<p>Will be in host network by default initially. Support 
-				to set network to a different compartment may be desirable in 
-				the future.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li><code>true</code></li>
-				</ul>
-			</td>
-		</tr>
-	</tbody>
-</table>
-
-### Baseline
-
-**The _Baseline_ policy is aimed at ease of adoption for common containerized workloads while preventing known privilege escalations.** 
-This policy is targeted at application operators and developers of 
-non-critical applications. The following listed controls 
-should be enforced/disallowed:
-
-<table>
-	<caption style="display:none">Baseline policy specification</caption>
-	<tbody>
-		<tr>
-			<td><strong>Control</strong></td>
-			<td><strong>Policy</strong></td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Windows HostProcess</td>
-			<td>
-				<p>As is similar to  privileged containers this must be disallowed in the baseline policy. </p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/nil</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Host Namespaces</td>
-			<td>
-				<p>Not applicable. Windows privileged containers will be controlled with a 
-				new `WindowsSecurityContextOptions.HostProcess` instead of the existing 
-				`privileged` field due to fundamental differences in their implementation 
-				on Windows.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
-	</tbody>
-</table>
-
-## Policies Ignored on Windows
-Several policies in the Pod Security Standards do not apply to Windows nodes due to 
-architectural differences between Linux and Windows. These policies are as follows:
-
-<table>
-	<caption style="display:none">Privileged policy specification</caption>
-	<tbody>
-		<tr>
-			<td><strong>Control</strong></td>
-			<td><strong>Policy</strong></td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Host Namespaces</td>
-			<td>
-				<p>Windows does not have configurable PID/IPC 
-				namespaces (unlike Linux). 
-				Windows containers are always assigned their own 
-				process namespace. 
-				HostProcess containers always run in the host's 
-				process namespace. These 
-				behaviors are not configurable. Future plans in this 
-				area include 
-				improvements to enable scheduling pods that can 
-				contain both Windows 
-				Server and HostProcess containers. These fields would 
-				not makes in this 
-				scenario because Windows cannot configure PID/IPC 
-				namespaces like in Linux.
-				</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.hostNetwork</code></li>
-					<li><code>spec.hostPID</code></li>
-					<li><code>spec.hostIPC</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Privileged Containers</td>
-			<td>
-				<p>Not applicable. Windows privileged containers will be 
-				controlled with a new `WindowsSecurityContextOptions.HostProcess` 
-				instead of the existing `privileged` field due to fundamental 
-				differences in their implementation on Windows.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.privileged</code></li>
-					<li><code>spec.initContainers[*].securityContext.privileged</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">Capabilities</td>
-			<td>
-				<p>Windows OS has a concept of “capabilities” (referred to as 
-				“privileged constants” but they are not supported in the platform today.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.capabilities.add</code></li>
-					<li><code>spec.initContainers[*].securityContext.capabilities.add</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">AppArmor</td>
-			<td>
-				<p>AppArmor is not supported on Windows nodes.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>metadata.annotations["container.apparmor.security.beta.kubernetes.io/*"]</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap">SELinux</td>
-			<td>
-				<p>SELinux is not supported by Windows nodes.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seLinuxOptions.*</code></li>
-					<li><code>spec.containers[*].securityContext.seLinuxOptions.*</code></li>
-					<li><code>spec.initContainers[*].securityContext.seLinuxOptions.*</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-			<td style="white-space: nowrap"><code>/proc</code> Mount Type</td>
-			<td>
-				<p><code>/proc</code> masks are not supported on Windows nodes.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.containers[*].securityContext.procMount</code></li>
-					<li><code>spec.initContainers[*].securityContext.procMount</code></li>
-				</ul>
-			</td>
-		</tr>
-		<tr>
-  			<td>Seccomp</td>
-  			<td>
-  				<p>Seccomp is not supported by Windows nodes.</p>
-  				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.seccompProfile.*</code></li>
-					<li><code>spec.containers[*].securityContext.seccompProfile.*</code></li>
-					<li><code>spec.initContainers[*].securityContext.seccompProfile.*</code></li>
-				</ul>
-  			</td>
-  		</tr>
-		<tr>
-			<td style="white-space: nowrap">Sysctls</td>
-			<td>
-				<p>These are part of the Linux sysctl interface, which has no equivalent on Windows.</p>
-				<p><strong>Unsupported Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.sysctls</code></li>
-				</ul>
-			</td>
-		</tr>
-	</tbody>
-</table>
-
-## FAQ
-
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index b1165290c4bc5..bfaa894bb75a1 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -51,16 +51,17 @@ on the host.
 - Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead be accessed via their 
 path on the host (e.g. \\\\.\\pipe\\\*)
 
- ## {{% heading "prerequisites" %}}
-# HostProcess Documentation
+## {{% heading "prerequisites" %}}
 
-To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to **kubelet** and **kube-apiserver**. See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) documentation for more details.
+To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to **kubelet** and **kube-apiserver**. 
+See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) documentation for more details.
 
 ```
 --feature-gates=WindowsHostProcessContainers=true
 ```
 
-You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd v2 configuration.  Add these annotations to any runtime configurations were you wish to enable the HostProcess Container feature.
+You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd v2 configuration.  
+Add these annotations to any runtime configurations were you wish to enable the HostProcess Container feature.
 
 
 ```
@@ -76,13 +77,82 @@ You can use the latest version of Containerd (v1.5.4+) with the following settin
         pod_annotations = ["microsoft.com/hostprocess-container"]
 ```
 
-The current versions of containerd ship with a version of hcsshim that does not have support. You will need to build a version of hcsshim from the main branch following the [instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim).  Once the containerd shim is built you can replace the file in your contianerd installation.  For example if you followed the instructions to [install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) replace the `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
-
-We are working to improve this process by enabling HostProcess support directly in [containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) as well as shipping a version of the containerd shim for Windows with support direclty via containerd releases.
-
-
-### Example Manifests
-
+The current versions of containerd ship with a version of hcsshim that does not have support. You will need to build 
+a version of hcsshim from the main branch following the [instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim). 
+Once the containerd shim is built you can replace the file in your contianerd installation.  For example if you followed the instructions
+ to [install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) replace the
+  `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
+
+We are working to improve this process by enabling HostProcess support directly in 
+[containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) as well as shipping a version of the containerd shim
+ for Windows with support direclty via containerd releases.
+
+## Creating a HostProcess Pod
+
+### Security Policy Config
+Enabling a Windows HostProcess pod simply requires setting the right configurations in the pod security configuration. 
+Many of the policies in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) do not apply to 
+HostProcess containers (and Windows in general) due to architectural differences between Windows and Linux. As such, 
+here are the policy configurations required to enable HostProcess pods:
+
+<table>
+	<caption style="display:none">Privileged policy specification</caption>
+	<tbody>
+		<tr>
+			<td><strong>Control</strong></td>
+			<td><strong>Policy</strong></td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><a href="/docs/concepts/security/pod-security-standards">Windows HostProcess</a></td>
+			<td>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">
+        HostProcess containers</a> which enables privileged access to the Windows node. </p>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li><code>true</code></li>
+				</ul>
+			</td>
+		</tr>
+		<tr>
+			<td style="white-space: nowrap"><a href="/docs/concepts/security/pod-security-standards">Host Networking</a></td>
+			<td>
+				<p>Will be in host network by default initially. Support 
+				to set network to a different compartment may be desirable in 
+				the future.</p>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li><code>true</code></li>
+				</ul>
+			</td>
+		</tr>
+    <tr>
+			<td style="white-space: nowrap"><a href="/docs/tasks/configure-pod-container/configure-runasusername/">runAsUsername</a></td>
+			<td>
+				<p>Specification of which user the HostProcess container should run as is required for the pod spec.</p>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+					<li><code>"NT AUTHORITY\\Local service"</code></li>
+          <li><code>"NT AUTHORITY\\NetworkService"</code></li>
+          <li><code>"NT AUTHORITY\\Local service - Win32 Apps"</code></li>
+          <li><code>"NT AUTHORITY\\SYSTEM"</code></li>
+				</ul>
+			</td>
+		</tr>
+    <tr>
+			<td style="white-space: nowrap"><a href="/docs/concepts/security/pod-security-standards">runAsNonRoot</a></td>
+			<td>
+				<p>HostProcess containers have privileged access to the host so the runAsNonRoot field cannot be set to true.</p>
+				<p><strong>Allowed Values</strong></p>
+				<ul>
+          <li>Undefined/Nil</li>
+					<li><code>false</code></li>
+				</ul>
+			</td>
+		</tr>
+	</tbody>
+</table>
+
+### Example Manifest
 
 ```yaml
 spec:
@@ -104,7 +174,10 @@ spec:
 
 ## Volume Mounts
 
-HostProcess containers support the ability to mount volumes within the container volume space. Applications running inside the container can access volume mounts directly via relative or absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` is set upon container creation and provides the absolute host path to the container volume. Relative paths are based upon the `Pod.containers.volumeMounts.mountPath` configuration.
+HostProcess containers support the ability to mount volumes within the container volume space. Applications running inside
+ the container can access volume mounts directly via relative or absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT`
+  is set upon container creation and provides the absolute host path to the container volume. Relative paths are based upon
+   the `Pod.containers.volumeMounts.mountPath` configuration.
 
 Example: To access service account tokens the following path structures are supported within the container:
 
@@ -121,4 +194,6 @@ Currently HostProcess containers only support the ability to run as one of four
 - **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
 - **[LocalServiceAccount](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 
-Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.) and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 
+Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.)
+ and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended
+  that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 

From 977f11d986bdefe7f9fcc4d9f5b20d7a0a538209 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Fri, 23 Jul 2021 16:53:23 -0700
Subject: [PATCH 07/10] Updated with for James' review

---
 .../security/pod-security-standards.md        |  4 +-
 .../en/docs/concepts/workloads/pods/_index.md |  2 +-
 .../create-hostprocess-pod.md                 | 72 ++++++++++---------
 3 files changed, 42 insertions(+), 36 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 468be5b296710..d1c142fbf7796 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -517,14 +517,14 @@ ecosystem, such as [OPA Gatekeeper](https://github.com/open-profile-agent/gateke
 ### What profiles should I apply to my Windows Pods?
 
 Windows in Kubernetes has some limitations and differentiators from standard Linux-based
-workloads. Specifically, a many of the Pod SecurityContext fields [have no effect on
+workloads. Specifically, many of the Pod SecurityContext fields [have no effect on
 Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). As
 such, no standardized Pod Security profiles currently exist.
 
 Windows HostProcess containers can be enabled for the privileged profile, but are explicitly blocked for baseline.
 Windows pods _may_ be broken by the restricted profile, which requires setting linux-specific 
 settings (such as seccomp profile and disallow privilege escalation). If the Kubelet and/or 
-container runtime choose to ignore these linux-specific values at runtime, then windows 
+container runtime choose to ignore these linux-specific values at runtime, then Windows 
 pods should still be allowed under the restricted profile, although the profile will not 
 add additional enforcement over baseline (for Windows).
 
diff --git a/content/en/docs/concepts/workloads/pods/_index.md b/content/en/docs/concepts/workloads/pods/_index.md
index 7cae3658303cb..3cfa1a7ce29b2 100644
--- a/content/en/docs/concepts/workloads/pods/_index.md
+++ b/content/en/docs/concepts/workloads/pods/_index.md
@@ -259,7 +259,7 @@ section.
 
 In Linux, any container in a Pod can enable privileged mode using the `privileged` (Linux) flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
 
-For Windows clusters with the `WindowsHostProcessContainers` feature enabled, administrators can create a [Windows HostProcess pod](/docs/tasks/configure-pod-container/create-hostprocess-pod) by setting the `windowsOptions.hostProcess` flag on the security context of the container spec. These pods run only Windows HostProcess containers, which run directly on the host and can also be used to perform administrative tasks as is done with Linux privileged containers.
+For Windows clusters with the `WindowsHostProcessContainers` feature enabled, administrators can create a [Windows HostProcess pod](/docs/tasks/configure-pod-container/create-hostprocess-pod) by setting the `windowsOptions.hostProcess` flag on the security context of the pod spec. All containers in these pods must run as Windows HostProcess containers. HostProcess pods run directly on the host and can also be used to perform administrative tasks as is done with Linux privileged containers.
 
 {{< note >}}
 Your {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} must support the concept of a privileged container for this setting to be relevant.
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index bfaa894bb75a1..0649468e28fd4 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -9,7 +9,7 @@ weight: 20
 {{< feature-state for_k8s_version="v1.22" state="alpha" >}}
 
 Windows HostProcess containers enable you to run containerized 
- workloads on a Windows host. These containers operate as 
+workloads on a Windows host. These containers operate as 
 normal processes but have access to the host network namespace, 
 storage, and devices when given the appropriate user privileges. 
 HostProcess containers can be used to deploy CNIs, 
@@ -25,7 +25,9 @@ to restrict resource access through user permissions. While neither filesystem o
 isolation are supported, a new volume is created on the host upon starting the container 
 to give it a clean and consolidated workspace. HostProcess containers can also be built on 
 top of existing Windows base images and do not inherit the same 
-[compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) as Windows server containers.
+[compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) 
+as Windows server containers, meaning that the version of the base images does not need 
+to match that of the host.
 
 ### When should I use a Windows HostProcess container?
 
@@ -39,29 +41,34 @@ privileges needed by Windows nodes.
 ### Important Notes
 
 - HostProcess containers will **only run when using version 1.5.4 (or higher) of the containerd [container runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)**.
-- As of v1.22 HostProcess pods can only run HostProcess containers. This is a current limitation
- of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
+- As of v1.22 HostProcess pods can only contain HostProcess containers. This is a current limitation 
+of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
 - HostProcess containers run as a process on the host and do not have any degree of 
 isolation other than resource constraints imposed on the HostProcess user account. Neither 
 filesystem or Hyper-V isolation are supported for HostProcess containers.
-- Volume mounts are supported and are mounted under the container volume. See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
-- A limited set of host user accounts are available for HostProcess containers by default. See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
+- Volume mounts are supported and are mounted under the container volume. 
+See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
+- A limited set of host user accounts are available for HostProcess containers by default. 
+See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
 - Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
 on the host.
-- Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead be accessed via their 
-path on the host (e.g. \\\\.\\pipe\\\*)
+- Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead 
+be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 
 ## {{% heading "prerequisites" %}}
 
-To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to **kubelet** and **kube-apiserver**. 
-See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) documentation for more details.
+To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to 
+**kubelet** and **kube-apiserver**. 
+See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) 
+documentation for more details.
 
 ```
 --feature-gates=WindowsHostProcessContainers=true
 ```
 
-You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd v2 configuration.  
-Add these annotations to any runtime configurations were you wish to enable the HostProcess Container feature.
+You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd 
+v2 configuration. Add these annotations to any runtime configurations were you wish to enable the 
+HostProcess Container feature.
 
 
 ```
@@ -77,15 +84,17 @@ Add these annotations to any runtime configurations were you wish to enable the
         pod_annotations = ["microsoft.com/hostprocess-container"]
 ```
 
-The current versions of containerd ship with a version of hcsshim that does not have support. You will need to build 
-a version of hcsshim from the main branch following the [instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim). 
-Once the containerd shim is built you can replace the file in your contianerd installation.  For example if you followed the instructions
- to [install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) replace the
-  `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
+The current versions of containerd ship with a version of hcsshim that does not have support. 
+You will need to build a version of hcsshim from the main branch following the 
+[instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim). 
+Once the containerd shim is built you can replace the file in your contianerd installation. 
+For example if you followed the instructions to 
+[install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) 
+replace the `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
 
 We are working to improve this process by enabling HostProcess support directly in 
-[containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) as well as shipping a version of the containerd shim
- for Windows with support direclty via containerd releases.
+[containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) 
+as well as shipping a version of the containerd shim for Windows with support direclty via containerd releases.
 
 ## Creating a HostProcess Pod
 
@@ -93,7 +102,7 @@ We are working to improve this process by enabling HostProcess support directly
 Enabling a Windows HostProcess pod simply requires setting the right configurations in the pod security configuration. 
 Many of the policies in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) do not apply to 
 HostProcess containers (and Windows in general) due to architectural differences between Windows and Linux. As such, 
-here are the policy configurations required to enable HostProcess pods:
+here are the set of policies and configuration values required to enable HostProcess pods:
 
 <table>
 	<caption style="display:none">Privileged policy specification</caption>
@@ -131,10 +140,9 @@ here are the policy configurations required to enable HostProcess pods:
 				<p>Specification of which user the HostProcess container should run as is required for the pod spec.</p>
 				<p><strong>Allowed Values</strong></p>
 				<ul>
+          <li><code>"NT AUTHORITY\\SYSTEM"</code></li>
 					<li><code>"NT AUTHORITY\\Local service"</code></li>
           <li><code>"NT AUTHORITY\\NetworkService"</code></li>
-          <li><code>"NT AUTHORITY\\Local service - Win32 Apps"</code></li>
-          <li><code>"NT AUTHORITY\\SYSTEM"</code></li>
 				</ul>
 			</td>
 		</tr>
@@ -174,26 +182,24 @@ spec:
 
 ## Volume Mounts
 
-HostProcess containers support the ability to mount volumes within the container volume space. Applications running inside
- the container can access volume mounts directly via relative or absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT`
-  is set upon container creation and provides the absolute host path to the container volume. Relative paths are based upon
-   the `Pod.containers.volumeMounts.mountPath` configuration.
+HostProcess containers support the ability to mount volumes within the container volume space. 
+Applications running inside the container can access volume mounts directly via relative or 
+absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` is set upon container 
+creation and provides the absolute host path to the container volume. Relative paths are based 
+upon the `Pod.containers.volumeMounts.mountPath` configuration.
 
 Example: To access service account tokens the following path structures are supported within the container:
 
-`\var\run\secrets\kubernetes.io\serviceaccount\`
+`.\var\run\secrets\kubernetes.io\serviceaccount\`
 
 `$CONTAINER_SANDBOX_MOUNT_POINT\var\run\secrets\kubernetes.io\serviceaccount\`
 
 ## Choosing a User Account
 
-Currently HostProcess containers only support the ability to run as one of four supported Windows service accounts:
+Currently HostProcess containers only support the ability to run as one of three supported Windows service accounts:
 
+- **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
 - **[LocalService](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 - **[NetworkService](https://docs.microsoft.com/en-us/windows/win32/services/networkservice-account)**
-- **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
-- **[LocalServiceAccount](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 
-Operators should use these accounts to restrict access to system resources (e.g. files, registry, named pipes, WMI, etc.)
- and enforce the principle of least privilege. HostProcess containers have direct access to the host so it is recommended
-  that a privileged workload only be given access to what it needs explicitly to prevent against accidental damage to the host. 
+Operators should use these accounts to limit the degree of privileges made available to the HostProcess container to prevent accidental damage to the host. The LocalSystem account has the highest level of privilege of the three and should be used only if absolutely necessary. It is recommended that operators follow the principle of least privilege and use the LocalService account when possible.

From 9360d1adb5459ffef4a0855be250201fb5f634a2 Mon Sep 17 00:00:00 2001
From: Brandon Smith <BRASMITH@MICROSOFT.COM>
Date: Fri, 23 Jul 2021 17:43:34 -0700
Subject: [PATCH 08/10] Apply suggestions from code review

Co-authored-by: Tim Bannister <tim@scalefactory.com>
Co-authored-by: James Sturtevant <jsturtevant@gmail.com>
---
 .../security/pod-security-standards.md        | 13 ++++----
 .../en/docs/concepts/workloads/pods/_index.md |  2 +-
 .../create-hostprocess-pod.md                 | 31 ++++++++++++-------
 3 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index d1c142fbf7796..15a662669cf64 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -521,12 +521,12 @@ workloads. Specifically, many of the Pod SecurityContext fields [have no effect
 Windows](/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#v1-podsecuritycontext). As
 such, no standardized Pod Security profiles currently exist.
 
-Windows HostProcess containers can be enabled for the privileged profile, but are explicitly blocked for baseline.
-Windows pods _may_ be broken by the restricted profile, which requires setting linux-specific 
-settings (such as seccomp profile and disallow privilege escalation). If the Kubelet and/or 
-container runtime choose to ignore these linux-specific values at runtime, then Windows 
-pods should still be allowed under the restricted profile, although the profile will not 
-add additional enforcement over baseline (for Windows).
+If you apply the restricted profile for a Windows pod, this **may** have an impact on the pod
+at runtime. The restricted profile requires enforcing Linux-specific restrictions (such as seccomp
+profile, and disallowing privilege escalation). If the kubelet and / or its container runtime ignore
+these Linux-specific values, then the Windows pod should still work normally within the restricted
+profile. However, the lack of enforcement means that there is no additional restriction, for Pods
+that use Windows containers, compared to the baseline profile.
 
 ### What about sandboxed Pods?
 
@@ -540,4 +540,3 @@ kernel. This allows for workloads requiring heightened permissions to still be i
 
 Additionally, the protection of sandboxed workloads is highly dependent on the method of
 sandboxing. As such, no single recommended profile is recommended for all sandboxed workloads.
-
diff --git a/content/en/docs/concepts/workloads/pods/_index.md b/content/en/docs/concepts/workloads/pods/_index.md
index 3cfa1a7ce29b2..e29fefd639231 100644
--- a/content/en/docs/concepts/workloads/pods/_index.md
+++ b/content/en/docs/concepts/workloads/pods/_index.md
@@ -259,7 +259,7 @@ section.
 
 In Linux, any container in a Pod can enable privileged mode using the `privileged` (Linux) flag on the [security context](/docs/tasks/configure-pod-container/security-context/) of the container spec. This is useful for containers that want to use operating system administrative capabilities such as manipulating the network stack or accessing hardware devices.
 
-For Windows clusters with the `WindowsHostProcessContainers` feature enabled, administrators can create a [Windows HostProcess pod](/docs/tasks/configure-pod-container/create-hostprocess-pod) by setting the `windowsOptions.hostProcess` flag on the security context of the pod spec. All containers in these pods must run as Windows HostProcess containers. HostProcess pods run directly on the host and can also be used to perform administrative tasks as is done with Linux privileged containers.
+If your cluster has the `WindowsHostProcessContainers` feature enabled, you can create a [Windows HostProcess pod](/docs/tasks/configure-pod-container/create-hostprocess-pod) by setting the `windowsOptions.hostProcess` flag on the security context of the pod spec. All containers in these pods must run as Windows HostProcess containers. HostProcess pods run directly on the host and can also be used to perform administrative tasks as is done with Linux privileged containers.
 
 {{< note >}}
 Your {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}} must support the concept of a privileged container for this setting to be relevant.
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index 0649468e28fd4..afa5c217d101f 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -2,6 +2,7 @@
 title: Create a Windows HostProcess Pod
 content_type: task
 weight: 20
+min-kubernetes-server-version: 1.22
 ---
 
 <!-- overview -->
@@ -12,7 +13,7 @@ Windows HostProcess containers enable you to run containerized
 workloads on a Windows host. These containers operate as 
 normal processes but have access to the host network namespace, 
 storage, and devices when given the appropriate user privileges. 
-HostProcess containers can be used to deploy CNIs, 
+HostProcess containers can be used to deploy network plugins,
 storage configurations, device plugins, kube-proxy, and other 
 components to Windows nodes without the need for dedicated proxies or 
 the direct installation of host services.
@@ -32,15 +33,15 @@ to match that of the host.
 ### When should I use a Windows HostProcess container?
 
 - When you need to perform tasks which require the networking namespace of the host. 
-HostProcess containers have access to the host's network interfaces and IP.
+HostProcess containers have access to the host's network interfaces and IP addresses.
 - You need access to resources on the host such as the filesystem, event logs, etc.
-- Installation of specific devices drivers or services
+- Installation of specific device drivers or Windows services.
 - Consolidation of administrative tasks and security policies. This reduces the degree of 
 privileges needed by Windows nodes.
 
-### Important Notes
+## Limitations
 
-- HostProcess containers will **only run when using version 1.5.4 (or higher) of the containerd [container runtime](https://kubernetes.io/docs/setup/production-environment/container-runtimes/)**.
+- HostProcess containers require version 1.5.4 or higher of the containerd {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
 - As of v1.22 HostProcess pods can only contain HostProcess containers. This is a current limitation 
 of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
 - HostProcess containers run as a process on the host and do not have any degree of 
@@ -57,6 +58,8 @@ be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 
 ## {{% heading "prerequisites" %}}
 
+{{% version-check %}}
+
 To enable HostProcess containers while in Alpha you need to pass the following feature gate flag to 
 **kubelet** and **kube-apiserver**. 
 See [Features Gates](https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/#overview) 
@@ -68,7 +71,7 @@ documentation for more details.
 
 You can use the latest version of Containerd (v1.5.4+) with the following settings using the containerd 
 v2 configuration. Add these annotations to any runtime configurations were you wish to enable the 
-HostProcess Container feature.
+HostProcess container feature.
 
 
 ```
@@ -89,7 +92,7 @@ You will need to build a version of hcsshim from the main branch following the
 [instructions in hcsshim](https://github.com/Microsoft/hcsshim/#containerd-shim). 
 Once the containerd shim is built you can replace the file in your contianerd installation. 
 For example if you followed the instructions to 
-[install containerd](https://kubernetes.io/docs/setup/production-environment/container-runtimes/#containerd) 
+[install containerd](/docs/setup/production-environment/container-runtimes/#containerd)
 replace the `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
 
 We are working to improve this process by enabling HostProcess support directly in 
@@ -99,7 +102,7 @@ as well as shipping a version of the containerd shim for Windows with support di
 ## Creating a HostProcess Pod
 
 ### Security Policy Config
-Enabling a Windows HostProcess pod simply requires setting the right configurations in the pod security configuration. 
+Enabling a Windows HostProcess pod requires setting the right configurations in the pod security configuration. 
 Many of the policies in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) do not apply to 
 HostProcess containers (and Windows in general) due to architectural differences between Windows and Linux. As such, 
 here are the set of policies and configuration values required to enable HostProcess pods:
@@ -149,7 +152,7 @@ here are the set of policies and configuration values required to enable HostPro
     <tr>
 			<td style="white-space: nowrap"><a href="/docs/concepts/security/pod-security-standards">runAsNonRoot</a></td>
 			<td>
-				<p>HostProcess containers have privileged access to the host so the runAsNonRoot field cannot be set to true.</p>
+				<p>Because HostProcess containers have privileged access to the host, the <tt>runAsNonRoot</tt> field cannot be set to true.</p>
 				<p><strong>Allowed Values</strong></p>
 				<ul>
           <li>Undefined/Nil</li>
@@ -188,7 +191,9 @@ absolute paths. An environment variable `$CONTAINER_SANDBOX_MOUNT_POINT` is set
 creation and provides the absolute host path to the container volume. Relative paths are based 
 upon the `Pod.containers.volumeMounts.mountPath` configuration.
 
-Example: To access service account tokens the following path structures are supported within the container:
+### Example {#volume-mount-example}
+
+To access service account tokens the following path structures are supported within the container:
 
 `.\var\run\secrets\kubernetes.io\serviceaccount\`
 
@@ -202,4 +207,8 @@ Currently HostProcess containers only support the ability to run as one of three
 - **[LocalService](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
 - **[NetworkService](https://docs.microsoft.com/en-us/windows/win32/services/networkservice-account)**
 
-Operators should use these accounts to limit the degree of privileges made available to the HostProcess container to prevent accidental damage to the host. The LocalSystem account has the highest level of privilege of the three and should be used only if absolutely necessary. It is recommended that operators follow the principle of least privilege and use the LocalService account when possible.
+You should select an appropriate Windows service account for each HostProcess
+container, aiming to limit the degree of privileges so as to avoid accidental (or even
+malicious) damage to the host. The LocalSystem servuce account has the highest level
+of privilege of the three and should be used only if absolutely necessary. Where possible,
+use the LocalService service account as it is the least privileged of the three options.

From 48a3bf0a415b9f73b3679b84dd774169697d52f0 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Fri, 23 Jul 2021 17:48:28 -0700
Subject: [PATCH 09/10] Minor edits

---
 .../create-hostprocess-pod.md                 | 47 +++++++++----------
 1 file changed, 22 insertions(+), 25 deletions(-)

diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index afa5c217d101f..87cc79389ad67 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -28,7 +28,8 @@ to give it a clean and consolidated workspace. HostProcess containers can also b
 top of existing Windows base images and do not inherit the same 
 [compatibility requirements](https://docs.microsoft.com/virtualization/windowscontainers/deploy-containers/version-compatibility) 
 as Windows server containers, meaning that the version of the base images does not need 
-to match that of the host.
+to match that of the host. HostProcess containers also support 
+[volume mounts](./create-hostprocess-pod#volume-mounts) within the container volume.
 
 ### When should I use a Windows HostProcess container?
 
@@ -39,22 +40,6 @@ HostProcess containers have access to the host's network interfaces and IP addre
 - Consolidation of administrative tasks and security policies. This reduces the degree of 
 privileges needed by Windows nodes.
 
-## Limitations
-
-- HostProcess containers require version 1.5.4 or higher of the containerd {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
-- As of v1.22 HostProcess pods can only contain HostProcess containers. This is a current limitation 
-of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
-- HostProcess containers run as a process on the host and do not have any degree of 
-isolation other than resource constraints imposed on the HostProcess user account. Neither 
-filesystem or Hyper-V isolation are supported for HostProcess containers.
-- Volume mounts are supported and are mounted under the container volume. 
-See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
-- A limited set of host user accounts are available for HostProcess containers by default. 
-See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
-- Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
-on the host.
-- Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead 
-be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 
 ## {{% heading "prerequisites" %}}
 
@@ -95,13 +80,25 @@ For example if you followed the instructions to
 [install containerd](/docs/setup/production-environment/container-runtimes/#containerd)
 replace the `containerd-shim-runhcs-v1.exe` is installed at `$Env:ProgramFiles\containerd` with the newly built shim.
 
-We are working to improve this process by enabling HostProcess support directly in 
-[containerd via the CRI api](https://github.com/containerd/containerd/pull/5131) 
-as well as shipping a version of the containerd shim for Windows with support direclty via containerd releases.
+## Limitations
+
+- HostProcess containers require version 1.5.4 or higher of the containerd {{< glossary_tooltip text="container runtime" term_id="container-runtime" >}}.
+- As of v1.22 HostProcess pods can only contain HostProcess containers. This is a current limitation 
+of the Windows OS; non-privileged Windows containers cannot share a vNIC with the host IP namespace.
+- HostProcess containers run as a process on the host and do not have any degree of 
+isolation other than resource constraints imposed on the HostProcess user account. Neither 
+filesystem or Hyper-V isolation are supported for HostProcess containers.
+- Volume mounts are supported and are mounted under the container volume. 
+See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
+- A limited set of host user accounts are available for HostProcess containers by default. 
+See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
+- Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
+on the host.
+- Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead 
+be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 
-## Creating a HostProcess Pod
+## Creating a HostProcess Security Policy Config
 
-### Security Policy Config
 Enabling a Windows HostProcess pod requires setting the right configurations in the pod security configuration. 
 Many of the policies in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) do not apply to 
 HostProcess containers (and Windows in general) due to architectural differences between Windows and Linux. As such, 
@@ -163,7 +160,7 @@ here are the set of policies and configuration values required to enable HostPro
 	</tbody>
 </table>
 
-### Example Manifest
+### Example Manifest (excerpt)
 
 ```yaml
 spec:
@@ -201,7 +198,7 @@ To access service account tokens the following path structures are supported wit
 
 ## Choosing a User Account
 
-Currently HostProcess containers only support the ability to run as one of three supported Windows service accounts:
+HostProcess containers support the ability to run as one of three supported Windows service accounts:
 
 - **[LocalSystem](https://docs.microsoft.com/en-us/windows/win32/services/localsystem-account)**
 - **[LocalService](https://docs.microsoft.com/en-us/windows/win32/services/localservice-account)**
@@ -209,6 +206,6 @@ Currently HostProcess containers only support the ability to run as one of three
 
 You should select an appropriate Windows service account for each HostProcess
 container, aiming to limit the degree of privileges so as to avoid accidental (or even
-malicious) damage to the host. The LocalSystem servuce account has the highest level
+malicious) damage to the host. The LocalSystem service account has the highest level
 of privilege of the three and should be used only if absolutely necessary. Where possible,
 use the LocalService service account as it is the least privileged of the three options.

From 4a0c02e36f97e4a2df5c8b862e672e3255fa3840 Mon Sep 17 00:00:00 2001
From: Brandon Smith <brasmith@microsoft.com>
Date: Mon, 26 Jul 2021 17:00:59 -0700
Subject: [PATCH 10/10] Modifications for additional feedback

---
 .../security/pod-security-standards.md        | 20 +++-------------
 .../create-hostprocess-pod.md                 | 23 +++++++++++--------
 2 files changed, 16 insertions(+), 27 deletions(-)

diff --git a/content/en/docs/concepts/security/pod-security-standards.md b/content/en/docs/concepts/security/pod-security-standards.md
index 15a662669cf64..1aa1907398ccd 100644
--- a/content/en/docs/concepts/security/pod-security-standards.md
+++ b/content/en/docs/concepts/security/pod-security-standards.md
@@ -58,7 +58,7 @@ fail validation.
 		<tr>
 			<td style="white-space: nowrap">HostProcess</td>
 			<td>
-				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. </p>
+				<p>Windows pods offer the ability to run <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> which enables privileged access to the Windows node. Privileged access to the host is disallowed in the baseline policy. HostProcess pods are an <strong>alpha</strong> feature as of Kubernetes <strong>v1.22</strong>.</p>
 				<p><strong>Restricted Fields</strong></p>
 				<ul>
 					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
@@ -275,22 +275,6 @@ fail validation.
 				</ul>
 			</td>
 		</tr>
-		<tr>
-			<td style="white-space: nowrap">Windows HostProcess</td>
-			<td>
-				<p>Running Windows pods as <a href="/docs/tasks/configure-pod-container/create-hostprocess-pod">HostProcess containers</a> enables privileged access to the Windows node and should be disallowed.</p>
-				<p><strong>Restricted Fields</strong></p>
-				<ul>
-					<li><code>spec.securityContext.windowsOptions.hostProcess</code></li>
-					<li><code>spec.containers[*].securityContext.windowsOptions.hostProcess</code></li>
-				</ul>
-				<p><strong>Allowed Values</strong></p>
-				<ul>
-					<li>Undefined/null</li>
-					<li><code>false</code></li>
-				</ul>
-			</td>
-		</tr>
 	</tbody>
 </table>
 
@@ -528,6 +512,8 @@ these Linux-specific values, then the Windows pod should still work normally wit
 profile. However, the lack of enforcement means that there is no additional restriction, for Pods
 that use Windows containers, compared to the baseline profile.
 
+The use of the HostProcess flag to create a HostProcess pod should only be done in alignment with the privileged policy. Creation of a Windows HostProcess pod is blocked under the baseline and restricted policies, so any HostProcess pod should be considered privileged.
+
 ### What about sandboxed Pods?
 
 There is not currently an API standard that controls whether a Pod is considered sandboxed or
diff --git a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
index 87cc79389ad67..5b9ab97a2c4f7 100644
--- a/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
+++ b/content/en/docs/tasks/configure-pod-container/create-hostprocess-pod.md
@@ -89,20 +89,23 @@ of the Windows OS; non-privileged Windows containers cannot share a vNIC with th
 isolation other than resource constraints imposed on the HostProcess user account. Neither 
 filesystem or Hyper-V isolation are supported for HostProcess containers.
 - Volume mounts are supported and are mounted under the container volume. 
-See [Volume Mounts](./create-hostprocess-pod#volume-mounts)
+See [Volume Mounts](#volume-mounts)
 - A limited set of host user accounts are available for HostProcess containers by default. 
-See [Choosing a User Account](./create-hostprocess-pod#choosing-a-user-account).
+See [Choosing a User Account](#choosing-a-user-account).
 - Resource limits (disk, memory, cpu count) are supported in the same fashion as processes 
 on the host.
 - Both Named pipe mounts and Unix domain sockets are **not** currently supported and should instead 
 be accessed via their path on the host (e.g. \\\\.\\pipe\\\*)
 
-## Creating a HostProcess Security Policy Config
+## HostProcess Pod configuration requirements
 
-Enabling a Windows HostProcess pod requires setting the right configurations in the pod security configuration. 
-Many of the policies in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) do not apply to 
-HostProcess containers (and Windows in general) due to architectural differences between Windows and Linux. As such, 
-here are the set of policies and configuration values required to enable HostProcess pods:
+Enabling a Windows HostProcess pod requires setting the right configurations in the pod security 
+configuration. Of the policies defined in the [Pod Security Standards](/docs/concepts/security/pod-security-standards) 
+HostProcess pods are disallowed by the baseline and restricted policies. It is therefore recommended 
+that HostProcess pods run in alignment with the privileged profile. 
+
+When running under the privileged policy, here are
+the configurations which need to be set to enable the creation of a HostProcess pod:
 
 <table>
 	<caption style="display:none">Privileged policy specification</caption>
@@ -140,9 +143,9 @@ here are the set of policies and configuration values required to enable HostPro
 				<p>Specification of which user the HostProcess container should run as is required for the pod spec.</p>
 				<p><strong>Allowed Values</strong></p>
 				<ul>
-          <li><code>"NT AUTHORITY\\SYSTEM"</code></li>
-					<li><code>"NT AUTHORITY\\Local service"</code></li>
-          <li><code>"NT AUTHORITY\\NetworkService"</code></li>
+          			<li><code>NT AUTHORITY\SYSTEM</code></li>
+					<li><code>NT AUTHORITY\Local service</code></li>
+					<li><code>NT AUTHORITY\NetworkService</code></li>
 				</ul>
 			</td>
 		</tr>