another nit: wouldn't it be more logical to move the loop back here - after the Init containers check.

I think it's important to change ordering back to make sure that any changes related to containers start/stop are only applied after all Init container complete. Just to avoid potential issues in a future if more logic will be added

containersToStart is also used to determine whether there's a need to create a sandbox. Wouldn't it cause repeated computation if moving the loop back here?

From the logic here - if the if len(pod.Spec.InitContainers) != 0 { than we need to start an Init container. So this condition check should go before any container-related ones. I was imagining situation when len(pod.Spec.Containers) is 0, i.e. pod has no containers, but has Init containers. In this case if order of checks will be as it's written, Init containers wouldn't run. The situation when there are no containers in a pod seems to be impossible today, thus it's just a recommendation to swap these checks. In anticipation that one day more conditions may be added above which semantically needs to run after all Init containers logic complete.

Thanks for the explanation. I understand the concern now, but swapping them back could cause sandbox still being recreated if any initContainer is present. The current workflow of a Pod with initContainer is and would be kept as below:

1. create sandbox, create init container, create container (expected actions)
2. all containers succeeded, delete sandbox (expected actions)
3. create sandbox, create init container (unexpected actions)

If taking potential no container case into consideration, could we add a condition to ensure this is not the first time to create sandbox like

w.r.t. Sergey's comment, is it possible that a pod has:

some init containers (> 0)
no container
some Ephemeral Containers (> 0)

To ensure all initContainers can run once successfully regardless of there are containers to start, I added one more condition for not creating sandbox. It should address the potential case "init containers (> 0), no container".

For the case of Ephemeral Containers (> 0), I think it's not affected by this PR. It was never created along with (re-)creating sandbox, and was handled when createPodSandbox is false after initContainer or normal container became running. The behavior is kept as it is.

I made a comment above. Suggestion is to minimize the introduced changes.

Also, maybe introducing a test with the situaiton @tedyu outlined will be beneficial. So future changes will take it into account.

There are already some tests to cover a Pod in TestComputePodActionsWithInitAndEphemeralContainers for example:

And I have added Create a new pod sandbox if the pod sandbox is dead, init container failed and RestartPolicy == OnFailure to it to ensure sandbox can be recreated as long as initialization is not done regardless of regular containers and ephemeral containers' status.
I didn't really delete regular containers from the pod spec of the tests, thinking it sounds strange to have a case with illegal input, but I think they should cover the situation @tedyu outlined implicitly