[Security] Improve secureness of dind root containers with "User Namespaces" feature.

[YvesEarnix]

What would you like added?

Because the DinD (Docker-in-Docker) pod runs as root, it should leverage Kubernetes “User Namespaces” for better isolation and security (see https://kubernetes.io/docs/tasks/configure-pod-container/user-namespaces/).

Enabling this feature only requires adding the field hostUsers: false to the pod template, for example here:
https://github.com/actions/actions-runner-controller/blob/master/charts/gha-runner-scale-set/templates/autoscalingrunnerset.yaml#L157

Why is this needed?

User Namespaces are a new Kubernetes security feature that significantly reduces the risk of privilege escalation. Security is a must-have. 😊

Additional context

• The spec.hostUsers field is available starting with Kubernetes 1.30 (to be confirm)
• Setting hostUsers: false activates User Namespaces only if clusters support them; otherwise clusters the field is simply ignored, so compatibility is maintained.

[yashrajdighe]

Good suggestion to fix the VULN, I tried enabling this while doing a POC but I am getting below error post configuring hostUsers: false and the runner pod was unable to start.

Warning FailedCreatePodSandBox 5s (x7 over 90s) kubelet Failed to create pod sandbox: the handler "" is not known