ApparmorProfile CRD should be a cluster-wide resource

[ccojocar]

What would you like to be added:

The ApparmorProfile CRD should be cluster-wide scope, and not namespaced. I would argue that also SeccompProfile should be the same.

The Profile CRDs are currently namespaced and there are a number of issues with this:

• apparmor profile during the installation, it gets loaded into the Linux kernel of each ndoe, and it is cluster-wide available, any pod can reference it into the security context.
• There isn't any mechanism in the security context to allow name-spacing the secruity profiles.
• It is possible currently to overwrite a profile from one namesapce with another profile created in a different namesapce if both profiles have the same name. This can be used to preform cross namespaces attacks. For instance a less permissive profile gets overwritten by a profile with more privileges from a different namespace even though the profile creator doesn't have permissions to do so in the original namesspace.

Why is this needed:

This will enhance the security and make it more transparent to RBAC policies that actually this profiles are cluster-wide.

[ccojocar]

cc @mhils