Can't configure knative service for isolation

[wilsonianb]

knative api doesn't let you specify

• AutomountServiceAccountToken
• DNSPolicy
• RuntimeClassName

https://github.com/knative/serving/blob/d2ea625894c4fc9fba2caeca88792f87e020408b/pkg/apis/serving/fieldmask.go#L151-L177

[wilsonianb]

In version 1.6+, you can opt out of automounting API credentials for a service account by setting automountServiceAccountToken: false on the service account

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

[wilsonianb]

Configuring coredns POD-MODE to disabled might be comparable to dnsPolicy: default but it may also mess up knative.
https://coredns.io/plugins/kubernetes/

[wilsonianb]

Could try using the deprecated

annotations:
   io.kubernetes.cri.untrusted-workload: "true"

to get kata to work without RuntimeClassName
https://github.com/kata-containers/documentation/blob/master/how-to/containerd-kata.md

or simply make kata-fc the default runtime for all pods, but then we'd have to deal with kata/firecracker limitations on all pods
kata-containers/documentation#351

[wilsonianb]

The io.kubernetes.cri.untrusted-workload annotation method works

knative issue opened:
knative/serving#5306

[wilsonianb]

Discussion on how more PodSpec fields could be included in knative
https://docs.google.com/document/d/1DY5t7LqGPOq5Jw5AixSgJY8S2VuQnTGzRpV6apY_nAI