Service account proposal.

COMMIT_BLOCKED_ON_GENDOCS

docs/design/security_context.md

@@ -172,13 +172,13 @@ type IDMapping struct {
 
 // IDMappingRange specifies a mapping between container IDs and node IDs
 type IDMappingRange struct {
-	// ContainerID is the starting container ID
+	// ContainerID is the starting container UID or GID
 	ContainerID int
 
-	// HostID is the starting host ID
+	// HostID is the starting host UID or GID
 	HostID int
 	
-	// Length is the length of the ID range
+	// Length is the length of the UID/GID range
 	Length int
 }
 
@@ -187,4 +187,4 @@ type IDMappingRange struct {
 
 #### Security Context Lifecycle
  
-The lifecycle of a security context will be tied to that of a service account. It is expected that a service account with a default security context will be created for every Kubernetes namespace (without administrator intervention). If resources need to be allocated when creating a security context (for example, assign a range of host uids/gids), a pattern such as [finalizers](https://github.com/GoogleCloudPlatform/kubernetes/issues/3585) can be used before declaring the security context / service account / namespace ready for use.
+The lifecycle of a security context will be tied to that of a service account. It is expected that a service account with a default security context will be created for every Kubernetes namespace (without administrator intervention). If resources need to be allocated when creating a security context (for example, assign a range of host uids/gids), a pattern such as [finalizers](https://github.com/GoogleCloudPlatform/kubernetes/issues/3585) can be used before declaring the security context / service account / namespace ready for use.