Validate CRI-O annotation to enable writable cgroups

Gitaly spawns Git processes into a cgroup per repository, protecting the service/pod from OOM events. To modify the cgroups, we use an init container. Although the container itself will not be in privileged mode, its processes will run as root. Container runtimes provide configuration options that allow writable cgroup access without requiring elevated privileges.

• containerd: supports the cgroup_writable setting, configurable in the containerd configuration file. We have validated this with Gitaly: gitlab#523254 (closed)
• CRI-O: supports the annotation io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw (see: https://github.com/cri-o/cri-o/pull/5277). This has not been validated with Gitaly yet.

Since some customers run on OpenShift where CRI-O is the default runtime, we should verify this configuration so we can confidently recommend it to them.