Conditionally set seccompProfile on config-policy

The permissions that the config-policy-controller has changes how this
field is automatically determined on some OpenShift clusters. Without
this, sometimes the pod can not be created, with a message saying this
must be set.

Refs:
 - https://issues.redhat.com/browse/ACM-4590
 - https://issues.redhat.com/browse/ACM-5352

Signed-off-by: Justin Kulikauskas <[email protected]>

Author: JustinKuli

pkg/addon/configpolicy/manifests/managedclusterchart/templates/cleanup_pod.yaml

@@ -64,3 +64,9 @@ spec:
   serviceAccount: {{ include "controller.serviceAccountName" . }}
   securityContext:
     runAsNonRoot: true
+    {{- if semverCompare ">= 1.25.0" .Capabilities.KubeVersion.Version }}
+    {{- /* newer OpenShift (4.12+) versions might require this to be explicitly set */}}
+    {{- /* but not all older kubernetes versions can handle when it is set */}}
+    seccompProfile:
+      type: RuntimeDefault
+    {{- end }}

pkg/addon/configpolicy/manifests/managedclusterchart/templates/deployment.yaml

@@ -184,6 +184,10 @@ spec:
       serviceAccount: {{ include "controller.serviceAccountName" . }}
       securityContext:
         runAsNonRoot: true
+        {{- if semverCompare ">= 1.25.0" .Capabilities.KubeVersion.Version }}
+        {{- /* newer OpenShift (4.12+) versions might require this to be explicitly set */}}
+        {{- /* but not all older kubernetes versions can handle when it is set */}}
         seccompProfile:
           type: RuntimeDefault
+        {{- end }}
       terminationGracePeriodSeconds: 120