KEP-3117: address comments

Signed-off-by: Giuseppe Scrivano <[email protected]>

Author: giuseppe

keps/sig-node/3317-user-namespaces/README.md

@@ -211,7 +211,7 @@ By default it is set to `true`.
 The following messages will be added:
 
 ```
-// A IDMapping describes a ID mapping for the user namespace used for the
+// IDMapping describes host to container ID mappings for a pod sandbox.
 // pod.
 message IDMapping {
     // host_id is the id on the host.
@@ -222,10 +222,9 @@ message IDMapping {
     uint32 length = 3;
 }
 
-// A UserNamespace describes the intended user namespace configuration.
+// UserNamespace describes the intended user namespace configuration for a sandbox.
 message UserNamespace {
-    // User namespace for this sandbox.
-    // Note: It currently supports only POD and NODE.
+    // NamespaceMode: `POD` or `NODE`
     NamespaceMode mode = 1;
 
     // uids specifies the UID mappings for the user namespace.
@@ -260,7 +259,11 @@ message NamespaceOption {
     // for each namespace.
     string target_id = 4;
     // User namespace for this sandbox.
-    UserNamespace user = 5;
+	// The Kubelet picks the user namespace configuration to use for the sandbox.  The mappings
+	// are specified as part of the UserNamespace struct.  If the struct is nil, then the POD mode
+	// must be assumed.  This is done for backward compatibility with older Kubelet versions that
+	// do not set a user namespace.
+	UserNamespace user = 5;
 }
 
 ```
@@ -525,6 +528,10 @@ To test with userns enabled, we need to patch container runtimes. We can either
 try to use a patched version or make the alpha longer and add e2e when we can
 use container runtime versions that have the needed changes.
 
+#### critests
+
+- For Alpha, the feature is tested for containerd and CRI-O in cri-tools repo using critest to
+  make sure the specified user namespace configuration is honored.
 
 - <test>: <link to test coverage>