Merge pull request #62756 from wangzhen127/seccomp-in-addon

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Use default seccomp profile for unprivileged addons

**What this PR does / why we need it**:
This PR sets the default seccomp profile of unprivileged addons to 'docker/default'. This PR is a followup of [#62662](https://github.com/kubernetes/kubernetes/pull/62662) and [#62671](https://github.com/kubernetes/kubernetes/pull/62671). We are using 'docker/default' instead of 'runtime/default' in addons in order to handle node version skew. When seccomp profile is applied automatically by default later, we can remove those annotations.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #39845

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```

cluster/addons/cluster-loadbalancing/glbc/default-svc-controller.yaml

@@ -17,6 +17,8 @@ spec:
       labels:
         k8s-app: glbc
         name: glbc
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       containers:
       - name: default-http-backend

cluster/addons/cluster-monitoring/google/heapster-controller.yaml

@@ -56,6 +56,7 @@ spec:
         version: v1.5.3
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml

@@ -56,6 +56,7 @@ spec:
         version: v1.5.3
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml

@@ -56,6 +56,7 @@ spec:
         version: v1.5.3
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/cluster-monitoring/influxdb/influxdb-grafana-controller.yaml

@@ -21,6 +21,7 @@ spec:
         version: v4
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       tolerations:

cluster/addons/cluster-monitoring/stackdriver/heapster-controller.yaml

@@ -43,6 +43,7 @@ spec:
         version: v1.5.3
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml

@@ -43,6 +43,7 @@ spec:
         version: v1.5.3
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/dashboard/dashboard-controller.yaml

@@ -26,6 +26,7 @@ spec:
         k8s-app: kubernetes-dashboard
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/dns-horizontal-autoscaler/dns-horizontal-autoscaler.yaml

@@ -77,6 +77,7 @@ spec:
         k8s-app: kube-dns-autoscaler
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       containers:

cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml

@@ -40,6 +40,8 @@ spec:
     metadata:
       labels:
         app: metadata-agent
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       serviceAccountName: metadata-agent
       containers:
@@ -103,6 +105,8 @@ spec:
     metadata:
       labels:
         app: metadata-agent-cluster-level
+      annotations:
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       serviceAccountName: metadata-agent
       containers:

cluster/addons/metrics-server/metrics-server-deployment.yaml

@@ -43,6 +43,7 @@ spec:
         version: v0.2.1
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        seccomp.security.alpha.kubernetes.io/pod: 'docker/default'
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: metrics-server