Automatic merge from submit-queue (batch tested with PRs 48665, 52849, 54006, 53755). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Order PSP by name, prefer non-mutating PSPs
Fixes#36184Fixes#23217
Related to #23217
Removes unnecessary mutation of pods:
* Determines effective security context for pods using a wrapper containing the pod and container security context, rather than building/setting a combined struct on every admission
* Does not set `privileged:&false` on security contexts with `privileged:nil`
* Does not set `runAsNonRoot:&true` on security contexts that already have a non-nil, non-0 `runAsUser`
* Does not mutate/normalize container capabilities unless changes are required (missing defaultAddCapabilities or requiredDropCapabilities)
Defines behavior when multiple PSP objects allow a pod:
* PSPs which allow the pod as-is (no defaulting/mutating) are preferred
* If the pod must be defaulted/mutated to be allowed, the first PSP (ordered by name) to allow the pod is selected
* During update operations, when mutations to pod specs are disallowed, only non-mutating PSPs are used to validate the pod
```release-note
PodSecurityPolicy: when multiple policies allow a submitted pod, priority is given to ones which do not require any fields in the pod spec to be defaulted. If the pod must be defaulted, the first policy (ordered by name) that allows the pod is used.
```
97808e5a86