Allow setting containerd device_ownership_from_security_context from config

[nick123pig]

Is your feature request related to a problem? Please describe.
Yes - I was trying to set the containerd config item device_ownership_from_security_context = true per the instructions here.

I was attempting to use the config.toml.tmpl strategy by extended the base and just adding my one config item, but unfortunately you can't redefine a table, so i kept getting containerd: failed to load TOML: /var/lib/rancher/k3s/agent/etc/containerd/config.toml: (47, 4): duplicated tables

I had to settle by copying the entire config.toml to the config.toml.tmpl and then adding my one line. However, this will make upgrades a pain as I will have to re-sync the base.tmpl

Describe the solution you'd like
A lot of this section is already templated from config, so I would suggest adding it as a config item.

Describe alternatives you've considered
NA

Additional context
NA

[brandond]

If it was not for the security considerations I would lean towards just enabling this by default. Since it is security related I think it probably deserves a CLI flag, but the field in the config is so ungodly long... I sure don't want a k3s flag named
--containerd-device-ownership-from-security-context.

Open to suggestions, I guess?

[nick123pig]

agreed, it's really long.

• --containerd-device-sec-context
• --device-security-context
• --nonroot-device-ownership
• --allow-nonroot-device-usage

[brandond]

Yeah something like--nonroot-devices? I'll discuss it with the team.