fix(sandbox): add missing PodSecurity restricted:latest fields

Sandbox pods for analysis/execution fail to start on clusters
enforcing the restricted Pod Security Standard (default for
openshift-* namespaces). Add runAsNonRoot and seccompProfile
at both pod and container level in podspec_builder.go and
bootstrap.go, matching the pattern already used by the console
plugin reconciler.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jrangelramos

controller/proposal/podspec_builder.go

@@ -124,8 +124,12 @@ func (b *PodSpecBuilder) Build(
 	return &corev1.PodSpec{
 		ServiceAccountName:           serviceAccount,
 		AutomountServiceAccountToken: ptr.To(true),
-		Containers:                   []corev1.Container{container},
-		Volumes:                      volumes,
+		SecurityContext: &corev1.PodSecurityContext{
+			RunAsNonRoot:   ptr.To(true),
+			SeccompProfile: &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault},
+		},
+		Containers: []corev1.Container{container},
+		Volumes:    volumes,
 	}, nil
 }
 

controller/sandbox/bootstrap.go

@@ -103,6 +103,12 @@ func ensureSandboxTemplate(ctx context.Context, c client.Client, image, namespac
 					"spec": map[string]any{
 						"serviceAccountName":           templateName,
 						"automountServiceAccountToken": false,
+						"securityContext": map[string]any{
+							"runAsNonRoot": true,
+							"seccompProfile": map[string]any{
+								"type": "RuntimeDefault",
+							},
+						},
 						"containers": []any{
 							map[string]any{
 								"name":  "agent",