support multipod scenarios with VirtualPodID annotation

This is in continuation of the azcri changes https://msazure.visualstudio.com/ContainerPlatform/_git/azcri/pullrequest/12968264

- Add VirtualPodID, TenantSandboxID, and SkipPodNetworking annotations to pkg/annotations
- Update create.go to treat containers with VirtualPodID equal to container ID as sandboxes for networking to support separate Network namespace for each Pod in the UVM.

(cherry picked from commit c196086161b65682e0d923e3bb8b3c5ed789a497)
Signed-off-by: Hamza El-Saawy <[email protected]>

Author: Abhishek Singh (Manifold)

internal/hcsoci/create.go

@@ -27,6 +27,7 @@ import (
 	"github.com/Microsoft/hcsshim/internal/resources"
 	"github.com/Microsoft/hcsshim/internal/schemaversion"
 	"github.com/Microsoft/hcsshim/internal/uvm"
+	"github.com/Microsoft/hcsshim/pkg/annotations"
 )
 
 var (
@@ -148,10 +149,14 @@ func configureSandboxNetwork(ctx context.Context, coi *createOptionsInternal, r
 	coi.actualNetworkNamespace = r.NetNS()
 
 	if coi.HostingSystem != nil {
+		// Check for virtual pod first containers: if containerID == virtualPodID, treat as sandbox for networking configuration
+		virtualPodID := coi.Spec.Annotations[annotations.VirtualPodID]
+		isVirtualPodFirstContainer := virtualPodID != "" && coi.actualID == virtualPodID
+
 		// Only add the network namespace to a standalone or sandbox
 		// container but not a workload container in a sandbox that inherits
 		// the namespace.
-		if ct == oci.KubernetesContainerTypeNone || ct == oci.KubernetesContainerTypeSandbox {
+		if ct == oci.KubernetesContainerTypeNone || ct == oci.KubernetesContainerTypeSandbox || isVirtualPodFirstContainer {
 			if err := coi.HostingSystem.ConfigureNetworking(ctx, coi.actualNetworkNamespace); err != nil {
 				// No network setup type was specified for this UVM. Create and assign one here unless
 				// we received a different error.

pkg/annotations/annotations.go

@@ -107,6 +107,21 @@ const (
 	LCOWPrivileged = "io.microsoft.virtualmachine.lcow.privileged"
 )
 
+// LCOW multipod annotations enables multipod and warmpooling.
+const (
+	// SkipPodNetworking is the annotation to skip networking setup for the pod.
+	// This prevents errors from being raised when the pod is created without endpoints. Boolean.
+	SkipPodNetworking = "io.microsoft.cri.skip-pod-networking"
+
+	// TenantSandboxID is the annotation to specify the ID of an existing tenant sandbox
+	// to use for the pod sandbox. If present, the pod will join the specified tenant sandbox. String.
+	TenantSandboxID = "io.microsoft.cri.tenant-sandbox-id"
+
+	// VirtualPodID is the annotation to specify the pod ID not associated with a shim
+	// that a container should be placed in. This is used for multipod scenarios. String.
+	VirtualPodID = "io.microsoft.cri.virtual-pod-id"
+)
+
 // LCOW integrity protection and confidential container annotations.
 const (
 	// DmVerityCreateArgs specifies the `dm-mod.create` parameters to kernel and enables integrity protection of