Run agent + chromium as non-root user

[The-9880]

Closes #847

This might be a little naive, please keep me honest. cc @mem @nadiamoe

Looking for feedback on the following

• Confirm: version this as a breaking change?
• Can we make this more restrictive?
• Q about k8s securityContext at the bottom of this description.

Summary:

• Sets up a non-root user for both the release and with-browser build targets of the Dockerfile.
• Updates the scratch/tarball-based images to do the same.
• Tested every protocol check config I could attempt (IPv4, IPv6, DNS, traceroute, etc.)
• Tested scripted and browser checks, seem to work.
• Tested on Docker directly as well as K8s.

K8s securityContext

Here's the toy YAML that I used to run this in my local cluster:

apiVersion: v1
kind: Pod
metadata:
  name: agent
  labels:
    app.kubernetes.io/name: agent
spec:
  securityContext:
  containers:
    - name: agent-tip
      image: only-agent
      imagePullPolicy: Never
      ports:
        - containerPort: 4050
          name: http-metric
      args:
        - --api-server-address=$(API_SERVER)
        - --api-token=$(API_TOKEN)
        - --verbose=true
      env:
        - name: API_TOKEN
          value: "<API_TOKEN>"
        - name: API_SERVER
          value: "synthetic-monitoring-grpc-us-east-0.grafana.net:443"
      securityContext:
        runAsUser: 12345
        runAsGroup: 12345
        runAsNonRoot: true
        # allowPrivilegeEscalation: false
        capabilities:
          drop: ["all"]
          add: ["NET_RAW"]

The issue with this securityContext:

securityContext:
  runAsUser: 12345
  runAsGroup: 12345
  runAsNonRoot: true
  # allowPrivilegeEscalation: false
  capabilities:
    drop: ["all"]
    add: ["NET_RAW"]

Is that if I uncomment allowPrivilegeEscalation: false then I run into the following error:

listen ip4:icmp 0.0.0.0: socket: operation not permitted

Which, I guess, is from the default behaviour of listening on localhost:4050 for the /metrics endpoint?