Add PSA configuration for image unpacker

[tylerslaton]

Creating an issue from the follow-ups outlined here: https://github.com/operator-framework/rukpak/pull/539#issuecomment-1233371230

Summary

In a recent merge we introduced the initial approach for adding PSA compliance to RukPak resources. In this approach, however, we opted to run the rukpak-system namespace in baseline PSA enforcement, which allows lower levels of security validation (like Pods being allowed to run as root which is a necessity for the current image unpacker implementation).

We would like to introduce a level of configuration for the unpacker struct that allows provisioners to opt-in to more a restrictive security context. This will allow the plain provisioner (and potentially helm provisioner) to use that configuration for more advanced pod security while also allowing the registry provisioner to ignore the configuration as it has legacy content that could run as root and should be considered immutable.

Note: It may also be necessary to create a separate namespace that the registry provisioner runs in with baseline set while the default rukpak-system namespace runs in restricted (which would contain all other RukPak resources).

A/C

• [ ] Add the configuration for setting restrictive security contexts and have it be opt-in
• [ ] Update the plain provisioner to utilize this more restrictive configuration
• [ ] Update the tests and testdata for the plain provisioner to pass with restrictive contexts (I.E, not allowing root users for bundles)
• [ ] Update the documentation for the plain provisioner to outline how bundle files need to be world-readable.
• [ ] Determine if all of the above options need to allow happen for the helm provisioner.

[github-actions[bot]]

This issue has become stale because it has been open 60 days with no activity. The maintainers of this repo will remove this label during issue triage or it will be removed automatically after an update. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

[awgreene]

/label lifecycle/stale

[openshift-ci[bot]]

@awgreene: The label(s) /label lifecycle/stale cannot be applied. These labels are supported: platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, downstream-change-needed, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, jira/valid-bug, staff-eng-approved. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to [this](https://github.com/operator-framework/rukpak/issues/548#issuecomment-1319145307): >/label lifecycle/stale Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.