Allow runtime/default seccomp profile in the built-in SCCs

[pjbgf]

Currently, all default SCCs (except privileged) block users from setting seccomp to runtime/default. The current behaviour seems to be a disservice as it blocks workloads to use more restrictive security controls, which may lead to folks simply set a workload SCC to privileged in order to "get it to work".
This is becoming a larger problem as folks around the OSS community and the private sector start shipping workloads with seccomp set to runtime/default - which is the recommended setting by CIS Benchmark for a few years now. They are now facing a few options:

• Do nothing and effectively not support OpenShift clusters by default.
• Create documentation or deployment manifests that are OpenShift-specific, which aims to remove the seccomp setting. (e.g. Add a section about running gatekeeper on OCP. open-policy-agent/gatekeeper#842 Gatekeeper pods failing to come up on openshift cluster open-policy-agent/gatekeeper#790 Changes on Flux v0.26.0 weaveworks/flux2-openshift#10 (comment))
• Create custom SCC to bypass such restriction.
• Set SCC to privileged.

The suggested change is to allow all default SCCs to support:

• unconfined (current Kubernetes default for backwards compatibility)
• runtime/default (future Kubernetes default and safer position)

I am not entirety sure of the longevity and future plans of SCC. However, making this change will:

• Help developers to seamless support OpenShift (from a seccomp perspective).
• Help companies to be CIS Benchmark compliant.
• Support the new defaults from Kubernetes upstream.

Looking forward to hear some thoughts around and understand how receptive the maintainers would be to the above.

cc: @JAORMX @jhrozek @saschagrunert

---

Upstream Context:

• Around 2016 Docker created a default seccomp profile and enabled by default. The same profile was introduced into Kubernetes as docker/default and was later renamed to runtime/default.
• Kubernetes 1.19: Seccomp made GA having profile unconfined by default.
• Kubernetes 1.22: SeccompDefault feature gate created, enabling users to switch from unconfined to runtime/default across the entire cluster.
• Kubernetes 1.25 (planned): SeccompDefault feature gate is enabled by default, meaning that all workloads will have seccomp profile runtime/default unless otherwise set on a per workload (pod or container) basis.

[cbandy]

BZ - 2010564 seems to talk about the same issue.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[pjbgf]

/remove-lifecycle stale

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale