[K8s] Run default runtime image as non-root user (uid 1000)

[mskuratowski]

Follow-up to #1463 - completes the runtime-image side of the security context work.

What

• runtime/kubernetes/Dockerfile and the auto-built DOCKERFILE_DEFAULT now create a lithops user (uid/gid 1000) and end with USER 1000:1000.
• The PSS Restricted recipe in docs/source/compute_config/kubernetes.md works directly with the bundled and auto-built images — no custom rebuild needed.
• Bonus: PIP_CONSTRAINT=setuptools<81 so legacy sdists that import pkg_resources (e.g. ibm-cos-sdk family, which only ships sdist) still build under setuptools 81+.

Why

The PSS Restricted recipe added in #1463 currently requires users to fork the runtime image to add a non-root USER directive. Doing it upstream removes that step. uid 1000 matches the docs example.

Verified locally on macOS arm64 / Rancher Desktop:

• lithops runtime build -b k8s -f runtime/kubernetes/Dockerfile <user>/img:tag succeeds. Previously failed at pkg_resources import while building ibm-cos-sdk sdists in the PEP 517 build env.
• lithops runtime deploy and lithops hello -b k8s -s minio pass; meta and worker pods run under uid 1000.
• Re-ran lithops hello with pod_security_context: {runAsNonRoot: true, runAsUser: 1000, runAsGroup: 1000, seccompProfile: {type: RuntimeDefault}}. Pods start under PSS Restricted constraints and the function returns successfully.

Developer's Certificate of Origin 1.1

   By making a contribution to this project, I certify that:

   (a) The contribution was created in whole or in part by me and I
       have the right to submit it under the Apache License 2.0; or

   (b) The contribution is based upon previous work that, to the best
       of my knowledge, is covered under an appropriate open source
       license and I have the right under that license to submit that
       work with modifications, whether created in whole or in part
       by me, under the same open source license (unless I am
       permitted to submit under a different license), as indicated
       in the file; or

   (c) The contribution was provided directly to me by some other
       person who certified (a), (b) or (c) and I have not modified
       it.

   (d) I understand and agree that this project and the contribution
       are public and that a record of the contribution (including all
       personal information I submit with it, including my sign-off) is
       maintained indefinitely and may be redistributed consistent with
       this project or the open source license(s) involved.