Expand PodOverrides with volumes, volumeMounts, and securityContext

[JustinElst]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds four optional fields to the shared PodOverrides struct so that spawned Task pods can attach extra volumes, mount them into the agent container, and declare pod- and container-level security contexts:

• volumes — appended to the Job's PodSpec.Volumes. User-supplied names must not collide with Kelos-managed names (workspace, kelos-plugin); duplicates are rejected.
• volumeMounts — appended to the agent container's mounts. A flat list rather than a map keyed by container name; only the agent container is exposed, init containers stay private.
• podSecurityContext — replaces the pod-level security context set by the controller. As a carve-out, fsGroup is preserved from Kelos's default when the user does not set it explicitly, so the agent user retains read/write access to the workspace volume.
• containerSecurityContext — replaces the agent container's security context, so callers can declare allowPrivilegeEscalation: false, capabilities.drop: [ALL], readOnlyRootFilesystem: true, etc., and the pod can land in a PSS-restricted namespace.

Without these fields, namespaces enforcing PSS restricted reject Kelos-spawned pods because the spawned containers don't declare the required security primitives — so operators are forced to relax the agent namespace to baseline. With these fields exposed, callers can opt back into restricted and can also mount things like writable profile dirs, custom CA bundles, or per-task config files.

This PR also fixes a latent bug in internal/helmchart/render.go: rendered templates were being split into YAML documents with strings.Split(content, "---\n"), which corrupts documents whose description text happens to contain "---\n". The new corev1 types pulled into the CRD surface this — PodSecurityContext.fsGroup's description contains the literal example rw-rw----\n, which the naive split treats as a document boundary. Replaced with k8s.io/apimachinery/pkg/util/yaml's reader, which only splits on lines that exactly match ---. A couple of render tests that relied on a substring search for ":latest" were also tightened to match real image references rather than CRD description text mentioning :latest in prose.

Which issue(s) this PR is related to:

N/A

Special notes for your reviewer:

• ServiceAccountName was already exposed on PodOverrides, so this PR only adds the four new fields above.
• VolumeMounts and ContainerSecurityContext are intentionally not keyed by container name — the agent container is the only meaningful target, and exposing init containers would let users break the workspace setup. The flat shape mirrors how Resources is exposed today.
• PodSecurityContext merge semantics: user values win field-by-field on the user-supplied struct (Kelos copies it via DeepCopy and applies it directly), with one exception — if the user did not set FSGroup, the controller preserves the Kelos-default FSGroup, since dropping it silently breaks workspace volume access.
• New tests cover: volume append, reserved volume name rejection, duplicate volume name rejection, volumeMount append, FSGroup preservation when the user omits it, FSGroup override when the user sets it, and container security context replacement.

Does this PR introduce a user-facing change?

Expand `PodOverrides` (used by both `Task` and `TaskSpawner`) with `volumes`, `volumeMounts`, `podSecurityContext`, and `containerSecurityContext`. This lets callers attach extra volumes, mount them into the agent container, and declare security contexts so spawned pods can land in PSS-`restricted` namespaces.

[CLAassistant]

All committers have signed the CLA.

[cubic-dev-ai]

No issues found across 12 files