Partly remove support for seccomp annotations

We now partly drop the support for seccomp annotations which is planned
for v1.25 as part of the KEP:

kubernetes/enhancements#135

Pod security policies are not touched by this change and therefore we
have to keep the annotation key constants.

This means we only allow the usage of the annotations for backwards
compatibility reasons while the synchronization of the field to
annotation is no longer supported. Using the annotations for static pods
is also not supported any more.

Making the annotations fully non-functional will be deferred to a
future release.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>

Kubernetes-commit: 584783ee9f89fbff58bb69f6107db18f18ba8746

admission/admission.go

@@ -626,13 +626,10 @@ func (a *Admission) PolicyToEvaluate(labels map[string]string) (api.Policy, fiel
 }
 
 // isSignificantPodUpdate determines whether a pod update should trigger a policy evaluation.
-// Relevant mutable pod fields as of 1.21 are image and seccomp annotations:
+// Relevant mutable pod fields as of 1.21 are image annotations:
 // * https://github.com/kubernetes/kubernetes/blob/release-1.21/pkg/apis/core/validation/validation.go#L3947-L3949
 func isSignificantPodUpdate(pod, oldPod *corev1.Pod) bool {
 	// TODO: invert this logic to only allow specific update types.
-	if pod.Annotations[corev1.SeccompPodAnnotationKey] != oldPod.Annotations[corev1.SeccompPodAnnotationKey] {
-		return true
-	}
 	if len(pod.Spec.Containers) != len(oldPod.Spec.Containers) {
 		return true
 	}
@@ -672,6 +669,7 @@ func isSignificantContainerUpdate(container, oldContainer *corev1.Container, ann
 	if container.Image != oldContainer.Image {
 		return true
 	}
+	// TODO(saschagrunert): Remove this logic in 1.27.
 	seccompKey := corev1.SeccompContainerAnnotationKeyPrefix + container.Name
 	return annotations[seccompKey] != oldAnnotations[seccompKey]
 }