chore: use AppArmorProfile for cilium 1.16 (#3371)

* set appArmorProfile and remove annotations for cilium 1.16 * set dualstack appArmorProfile * set profile per container * update nightly daemonset

Author: camrynl

test/integration/manifests/cilium/daemonset.yaml

@@ -16,10 +16,6 @@ spec:
  template:
  metadata:
  annotations:
- container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
- container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
- container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
- container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
  prometheus.io/port: "9962"
  prometheus.io/scrape: "true"
  creationTimestamp: null
@@ -102,6 +98,8 @@ spec:
  timeoutSeconds: 5
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - CHOWN
@@ -197,6 +195,8 @@ spec:
  name: mount-cgroup
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -229,6 +229,8 @@ spec:
  name: apply-sysctl-overwrites
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -287,6 +289,8 @@ spec:
  cpu: 100m
  memory: 100Mi
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - NET_ADMIN

test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset-dualstack.yaml

@@ -17,10 +17,6 @@ spec:
  template:
  metadata:
  annotations:
- container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
- container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
- container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
- container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
  prometheus.io/port: "9962"
  prometheus.io/scrape: "true"
  creationTimestamp: null
@@ -97,6 +93,8 @@ spec:
  timeoutSeconds: 5
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - CHOWN
@@ -192,6 +190,8 @@ spec:
  name: mount-cgroup
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -224,6 +224,8 @@ spec:
  name: apply-sysctl-overwrites
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -282,6 +284,8 @@ spec:
  cpu: 100m
  memory: 100Mi
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - NET_ADMIN

test/integration/manifests/cilium/v1.16/cilium-agent/templates/daemonset.yaml

@@ -17,10 +17,6 @@ spec:
  template:
  metadata:
  annotations:
- container.apparmor.security.beta.kubernetes.io/apply-sysctl-overwrites: unconfined
- container.apparmor.security.beta.kubernetes.io/cilium-agent: unconfined
- container.apparmor.security.beta.kubernetes.io/clean-cilium-state: unconfined
- container.apparmor.security.beta.kubernetes.io/mount-cgroup: unconfined
  prometheus.io/port: "9962"
  prometheus.io/scrape: "true"
  creationTimestamp: null
@@ -97,6 +93,8 @@ spec:
  timeoutSeconds: 5
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - CHOWN
@@ -192,6 +190,8 @@ spec:
  name: mount-cgroup
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -224,6 +224,8 @@ spec:
  name: apply-sysctl-overwrites
  resources: {}
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - SYS_ADMIN
@@ -282,6 +284,8 @@ spec:
  cpu: 100m
  memory: 100Mi
  securityContext:
+ appArmorProfile: 
+ type: Unconfined
  capabilities:
  add:
  - NET_ADMIN