Runtime default AppArmor profile gets applied to privileged containers #1239
Description
For privileged Kubernetes containers with the runtime/default AppArmor explicitly applied, there is a difference in behaviour between Docker and containerd.
On the one hand, dockershim translates the runtime/default profile into nil (i.e. no explicit profile set). In Docker (Moby), the AppArmor profile then only gets applied when the container is not privileged.
On the other hand, kuberuntime seems to pass whatever is in the AppArmor annotation and the containerd/cri generateApparmorSpecOpts function will not exclude privileged containers in this case (it will when no explicit profile is set).
I think the first behaviour makes the most sense for compatibility with Docker and dockershim, but it does mean that privileged containers will never get the runtime's default AppArmor profile applied (a workaround would be for the cluster operator to clone the default profile under a new name, and apply that instead).
Also, it could be argued that this is better fixed in the Kubelet's kuberuntime, similar to how dockershim works.