CRI-O: Applying seccomp profiles from OCI registries

- Seccomp restricts kernel calls made from userspace, enhancing security. - Distributing seccomp profiles in Kubernetes is challenging due to the need for them to be available on all nodes. - The CRI-O runtime introduces new annotations that allow specifying seccomp profiles for specific containers, pods, or container images. - Users can reference seccomp profiles as OCI artifacts, enabling profile distribution along with container images. - CRI-O will pull and apply the specified OCI artifact if the runtime is configured to allow it. - Workloads running as Unconfined can use the new annotations. - The annotation can be applied to a specific container or to the entire pod by using the reserved name POD. - Container images can have seccomp annotations that are applied to pods using the image. - The annotation for container images works similarly to the Pod annotation and applies to the entire pod. - The feature allows creating seccomp profiles specific to container images and storing them alongside the images in a registry.