[NET-9932] Always add NET_BIND_SERVICE capability to injected sidecar container

[nathancoleman]

Changes proposed in this PR

Consul-dataplane always requires the NET_BIND_SERVICE capability (docs). This is explicitly allowed under the restricted-v2 SecurityContextConstraints (SCC) that ships with OpenShift 4.11+; however, the container needs to request the capability in order for it to be granted. This change does that.

How I've tested this PR

Worked w/ @natemollica-nm to verify that this fix allows the application sidecar running the consul-dataplane image to spin up successfully under the restricted-v2 SCC where it would have previously logged the following error on startup.

Defaulted container "consul-dataplane" out of: consul-dataplane, backend, consul-connect-inject-init (init)
[dumb-init] /usr/local/bin/consul-dataplane: Operation not permitted

Application sidecars should now be fully functional on OpenShift without creating a custom SCC.
The Pod containing the injected sidecar should get an annotation from OpenShift indicating that it's using the restricted-v2 SCC.

How I expect reviewers to test this PR

See above

Checklist

• Tests added
• CHANGELOG entry added

[nathancoleman]

Note to self: This PR cannot be backported to any release that requires running Consul w/ the anyuid SecurityContextConstraints. If we do, then we get the following error due to the fact that anyuid does not allow the NET_BIND_SERVICE capability.

pods "backend-6c4cf7dc55-" is forbidden: unable to validate against any security context constraint:
| [provider anyuid: .containers[0].capabilities.add:                                                                                                                                                
│       Invalid value: "NET_BIND_SERVICE": capability may not be added