Add ops-file to enable CSI shared mounts

[davewalter]

What this PR does / why we need it:

This PR adds an ops-file to allow operators to configure docker to enable shared mounts.

How can this PR be verified?

When the ops-file is applied, the docker job on the worker should be configured with shared_mounts_enable set to true.

Is there any change in kubo-release?

No.

Is there any change in kubo-ci?

No.

Does this affect upgrade, or is there any migration required?

No.

Which issue(s) this PR fixes:

This is required to configure CSI support in Kubernetes. See this doc for details.

Release note:

Added an ops-file to enable shared mounts for CSI support. See the [Kubernetes CSI Setup Documentation](https://kubernetes-csi.github.io/docs/Setup.html#enabling-mount-propagation) for details.

Please feel free to reach out if you have any questions.

Regards,
Dave

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/161736917

The labels on this github issue will be updated when the story is started.

[cfdreddbot]

Hey davewalter!

Thanks for submitting this pull request! I'm here to inform the recipients of the pull request that you and the commit authors have already signed the CLA.

[alex-slynko]

Hi @davewalter

Is there any reason not to include it as the default option in the main manifest?

I am assuming that mount propagation is required for all CSI volumes.

[julian-hj]

@alex-slynko see https://docs.docker.com/v17.09/engine/admin/volumes/bind-mounts/#configure-bind-propagation for more details about what this setting does.

Basically, this is a setting that's necessary to run most CSI plugins in k8s, but degrades container security somewhat, since it allows mounts created within the container to leak out into the root namespace, and potentially back into other containers.