Implement allowList configuration for PodSpec

Description

GitLab Runner currently supports configuring PodSpec in the config.toml file. When specified, this PodSpec configuration modifies the Pod Specification generated by the Runner Manager during job Pod creation.

There is interest in extending this functionality to .gitlab-ci.yml files (Add support for named GitLab Runner PodSpec(s) ... (gitlab#396361)), but implementation is blocked without a mechanism allowing administrators to control which specific PodSpec elements can be modified. This control mechanism would serve as a critical security boundary before exposing this capability to CI configuration files.

Proposal

The proposed solution is to implement JSON Schema validation to define allowable modifications to the GitLab-generated PodSpec. This approach would provide a structured framework for controlling which elements of the Pod specification can be altered by users.

Links to related issues and merge requests / references

• Draft MR: Draft: Support allowList for podSpec for the Ku... (!4684)
• Blocked issue: Add support for named GitLab Runner PodSpec(s) ... (gitlab#396361)