Added kubelet config parameter 'seccompDefault'

[AleksandarSavchev]

How to categorize this PR?

/area security
/kind enhancement

What this PR does / why we need it:
This PR adds a new config parameter seccompDefault to kubelet which enhances the securityContext of shoot pods by setting their seccomp profiles to "RuntimeDefault". This new parameter is available for k8s versions >= 1.25 and can be enabled only when kubelet's 'SeccompDefault' feature gate is enabled (it is enabled by default). Added tests for new parameter.

Which issue(s) this PR fixes:
Fixes #6501

Special notes for your reviewer:
Please see the comment below.

Release note:

It is now possible to configure the `seccompDefault` field for the kubelet configuration in the `Shoot` API via `.spec.{provider.workers[]}.kubernetes.kubelet.seccompDefault`. This configuration is only available for k8s version >= 1.25 and it is not turned on by default.

Function `ValidateWorker()` in `pkg/apis/core/validation` now accepts `core.Kubernetes` struct instead of `string` as second argument.

Shoot worker definitions are now validated using `.spec.kubernetes.kubelet` when `.spec.provider.workers[].kubernetes.kubelet` is not specified.

[AleksandarSavchev]

There is a problem with inheritance of kubelet config for workers, meaning that the seccomp configuration is not validated correctly.
/hold until I resolve this

[AleksandarSavchev]

The ValidateWorker function did not validate worker's kubelet config when it was missing. When it is missing the worker would inherit the shoot's kubelet config. Added validation for the shoot's kubelet config when the worker's config is missing.

Removed the default value for seccompDefault config since it does not change the functionality and it would have been inherited by the worker node even when the worker node's k8s version is <= 1.24. In such a case there would have been a validation error which would have been hard to understand since the user has not set seccompDefault.

[AleksandarSavchev]

/unhold

[dimityrmirchev]

Thanks!
/lgtm

[rfranzke]

/assign

[rfranzke]

Nice PR.

Are you addressing https://github.com/gardener/gardener/blob/2c5074415de457e9609f51850e62991c3cdb4f0d/docs/usage/default_seccomp_profile.md#future-steps here?
Independent of this, does it make sense to adapt the documentation/this file with information about this new feature?

[AleksandarSavchev]

Nice PR.

Are you addressing https://github.com/gardener/gardener/blob/2c5074415de457e9609f51850e62991c3cdb4f0d/docs/usage/default_seccomp_profile.md#future-steps here? Independent of this, does it make sense to adapt the documentation/this file with information about this new feature?

Thank you for pointing this out. I have now updated this file with new information about the feature.

[rfranzke]

/lgtm
/approve

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dimityrmirchev, rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rfranzke]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rfranzke]

@AleksandarSavchev: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-e2e-kind 779e103 link true /test pull-gardener-e2e-kind
pull-gardener-check-vulnerabilities 2d9fe99 link false /test pull-gardener-check-vulnerabilities
Full PR test history. Your PR dashboard. Command help for this repository. Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Looks like #6766
/retest

[rfranzke]

/lgtm

[gardener-prow]

@AleksandarSavchev: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-gardener-check-vulnerabilities	2d9fe99	link	false	/test pull-gardener-check-vulnerabilities

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.