fix: Enable unprivileged ports sysctl in containerd config (#1099)

This enabled pods to run as non-root and bind to privileged ports
as long as they have the necessary capability, `CAP_NET_BIND_SERVICE`
added.

This fixes an issue on AWS when bringing up coredns which binds to port
53 but runs as an unprivileged user.

Overall this is a net security improvement for clusters, meaning users
can stop giving too many privileged to pods - see
kubernetes/kubernetes#102612 for discussion.

ansible/roles/config/templates/config.toml.tmpl

@@ -71,6 +71,8 @@ imports = ["/etc/containerd/conf.d/*.toml"]
     restrict_oom_score_adj = false
     max_concurrent_downloads = 3
     disable_proc_mount = false
+    enable_unprivileged_ports = true
+    enable_unprivileged_icmp = true
     [plugins."io.containerd.grpc.v1.cri".containerd]
       snapshotter = "overlayfs"
       default_runtime_name = "runc"