Can I enable, on the cluster level, for the pods to use default secomp and apparmor profiles or do I need to make an admission controller of my own to insert the innotation to the objects?
Leaving it to users is not an option.
There is already the PodSecurityPolicy object which essentially is an implementation of an admission controller. You can control the seccomp and apparmor profiles using annotations in the PodSecurityPolicy:
For example (as described in the docs), notice the 'default' in the annotation:
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default'
spec:
...
Note that Seccomp is alpha and Apparmor is beta as of this writing.