Cilium Feature Proposal

Is your proposed feature related to a problem?

Kubernetes added a flag for the kubelet seccompDefault which automatically applies the seccomp profile RuntimeDefault to pods without a seccompProfile.type. This kubelet setting enhances the security of the cluster overall.

Describe the feature you'd like

Add seccompProfile.type = Unconfined to cilium pods that cannot use the RuntimeDefault profile.

(Optional) Describe your proposed solution

Elements of the CNI need all sorts of fancy syscalls into bpf space and beyond. Marking those pods as explicitly having no seccompProfile helps document that this is intended and eliminates conflict with clusters using the seccompDefault=true kublet flag.

Pods that can run with seccompDefault.type = RuntimeDefault should have that set explicitly.

A fancy cilium seccompProfile feels unnecessary and like it would create a burden both in development and distribution.