feat: add pod security context defaults and CRD overrides

[Defilan]

Summary

• Adds default PodSecurityContext (seccompProfile: RuntimeDefault) and container SecurityContext (allowPrivilegeEscalation: false, capabilities.drop: ALL) to all inference pods and init containers
• Exposes new podSecurityContext and securityContext fields on the InferenceService CRD so users can override defaults when needed (e.g. setting fsGroup for OpenShift namespaces)
• Regenerates CRD manifests and syncs Helm chart CRD

Motivation

On OpenShift 4.21, the restricted-v2 SCC requires seccompProfile: RuntimeDefault to match. Without any security context, pods fall back to a less capable SCC that doesn't inject fsGroup, so the PVC at /models stays root:root 0755 and the non-root init container fails with mkdir: Permission denied. This also affects any cluster enforcing the Kubernetes Pod Security Standards "restricted" profile.

Breaking change

Existing inference pods will be updated with security contexts on next reconcile. Deployments using custom images that require Linux capabilities or privilege escalation must set the new securityContext field to restore previous behavior.

How OpenShift users fix their deployment

After this change, OpenShift users can add podSecurityContext to their InferenceService:

spec:
  modelRef: tinyllama
  podSecurityContext:
    fsGroup: 1000680000
    runAsNonRoot: true

The seccompProfile: RuntimeDefault default may also be sufficient on its own, since it allows proper SCC matching which auto-injects fsGroup.

Test plan

• make generate && make manifests passes
• make test passes (all existing + 6 new security context tests)
• make vet && make fmt clean
• Manual: deploy on OpenShift with podSecurityContext.fsGroup set (requested reporter to test)

Fixes #238

[Defilan]

@kannon92 is going to have a look to see if this works. If we're in a good spot, I'll get it merged

[kannon92]

#238 (comment)

LGTM!