Image allow list: do not default-allow Kubernetes images when Kubernetes disabled

[mook-as]

Actual Behavior

When Kubernetes is not enabled, we should not default-allow the Kubernetes images.

Steps to Reproduce

1. Disable Kubernetes.
2. Enable the image allow list. a. Do not add any images.
3. Examine the image allow list configuration on disk (/usr/local/openresty/nginx/conf/image-allow-list.conf)

Result

"~*^registry\.k8s\.io(:443)?/v2/pause/manifests/[^/]+$" 0;
"~*^[^./]+\.pkg\.dev(:443)?/v2/.+/manifests/[^/]+$" 0;
"~*^registry-1\.docker\.io(:443)?/v2/rancher/mirrored-pause/manifests/[^/]+$" 0;

Expected Behavior

The image allow list should be empty.

Additional Information

No response

Rancher Desktop Version

1.6.0-537-g200036a0

Rancher Desktop K8s Version

N/A

Which container engine are you using?

containerd (nerdctl)

What operating system are you using?

Windows

Operating System / Build Version

Windows 11 Pro 21H2 (Build 22000.1219)

What CPU architecture are you using?

x64

Linux only: what package format did you use to install Rancher Desktop?

None

Windows User Only

No response

[jandubois]

The registry.k8s.io image is the default sandbox image from cri-dockerd, so if we drop that package in favour of using --docker in k3s again (#3286), then we no longer need it.

We can then also drop the entry for the corresponding Google package CDN and tell people to add *.pkg.dev/... manually if they use a registry using that network (wildcard in hostname requires #3622).

The rancher/mirrored-pause:3.6 image is configured by us as the sandbox image in the containerd config. I think we should probably bundle a tarball copy of the image inside our distro and load it via nerdctl load pause.tar.zstd, so the image is guaranteed to be available in airgap scenarios.