binding privileged container to netns of unprivileged container

gistfile1.md

$ kubectl get pods
NAME                      READY     STATUS        RESTARTS   AGE
nginx-56f766d96f-lxkc9    1/1       Running       0          6m

$ docker ps | grep k8s_POD_nginx-56f766d96f-lxkc9
85b59aced967        k8s.gcr.io/pause-amd64:3.1   "/pause"                 7 minutes ago       Up 7 minutes                            k8s_POD_nginx-56f766d96f-lxkc9_default_426a6401-95b5-11e8-8a83-0800271b7911_0

$ docker run -i -t --privileged --net=container:85b59aced967 alpine /bin/sh

$ apk update
$ apk add libcap-ng-utils
$ pscap -a
ppid  pid   name        command           capabilities
0     1     root        sh                full