[K8s] Make pod and container securityContext configurable (closes #1432)

[mskuratowski]

Closes #1432.

Two new optional config keys under k8s:

Key	Default	Notes
container_security_context	PSS Baseline (drop ALL caps, no privesc, RuntimeDefault seccomp)	Applied to every Lithops pod (master, worker, metadata)
pod_security_context	null	Opt-in; needed for PSS Restricted clusters (EGI Rancher, GKE Autopilot, OpenShift, …). Requires a non-root runtime image.

User-provided values fully replace defaults (no merge), per docs.

The constraint @aicardi-obspm hit isn't Rancher-specific, it's upstream Pod Security Standards "Restricted", enforced by GKE Autopilot, OpenShift, EKS with admission, etc. A generic raw-dict config covers all of them without growing a vendor-named enum, and ships secure-by-default for the parts that don't require image cooperation.

Discussed under #1432.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.