SeccompProfile CRD: add new fields for seccomp notify

[alban]

What type of PR is this?

/kind feature
/kind api-change

What this PR does / why we need it:

This PR adds support for Seccomp Profiles that make use of the Seccomp Notify feature. Seccomp Notify is a new feature in container runtimes introduced by

• Add Seccomp Notify support using UNIX sockets and container metadata opencontainers/runtime-spec#1074
• Implement seccomp notify support opencontainers/runc#2682 (available in runc 1.1.0)

This patch adds:

• The new seccomp action SCMP_ACT_NOTIFY to defer the decision to a
  seccomp agent
• The ListenerPath and ListenerMetadata fields so the runtime can
  contact the seccomp agent.

Note that the flag SECCOMP_FILTER_FLAG_NEW_LISTENER is not added. See
opencontainers/runtime-spec#1096 for details.

We need this so users can install Seccomp Profiles on worker nodes.

Which issue(s) this PR fixes:

None

Does this PR have test?

No.

One could be implemented in a similar way to test/tc_base_profiles_test.go but then we would need to implement a Seccomp Agent listening on the UNIX socket just for the test. I don't think it is worth the complexity.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Add support for Seccomp Profiles that make use of the Seccomp Notify feature.

cc @rata @mauriciovasquezbernal

[k8s-ci-robot]

Welcome @alban!

It looks like this is your first PR to kubernetes-sigs/security-profiles-operator 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/security-profiles-operator has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @alban. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rata]

I'm no maintainer here, but if it helps I have worked in the runtime-spec and runc changes and this LGTM :)

[saschagrunert]

/ok-to-test

[saschagrunert]

Awesome, thank you for the contribution!

I just have one nit which may block the boilerplate check. Otherwise LGTM

[saschagrunert]

build / bpf-btf is fixed in #798

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alban, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[saschagrunert]

Will merge after e2e-{fedora,ubuntu}