Description

Commit 8cf3222#diff-208130c20edcdc687fd2a4c092c9c22ad3f198f3fe2d27ea50c74a2656c4764d introduces some extra processing of seccomp-related sandbox annotations. As a result of this change, most sandbox annotations are no longer propagated to the container annotations.

Steps to reproduce the issue:

1. create pod with k8s annotations
2. observe that the sandbox OCI config contains the k8s annotations (as expected)
3. observe that the container(s) OCI config(s) do not contain the k8s annotations. They were not propagated from the sandbox config to the container config.

Describe the results you expected:

Sandbox annotations should also appear in the container's OCI spec.

Additional information you deem important (e.g. issue happens only occasionally):

Regression is in 1.21 (OpenShift 4.8). So, the fix should be backported.

Output of crio --version:

sh-4.4# rpm -q cri-o
cri-o-1.21.1-12.rhaos4.8.git30ca719.el8.x86_64
sh-4.4# crio --version
crio version 1.21.1-12.rhaos4.8.git30ca719.el8
Version:    1.21.1-12.rhaos4.8.git30ca719.el8
GoVersion:  go1.16.4
Compiler:   gc
Platform:   linux/amd64
Linkmode:   dynamic

Additional environment details (AWS, VirtualBox, physical, etc.):

OpenShift 4.8.0.