feat(kubernetes): fall back to system CA roots when no CA is configured

[rajsinghtech]

Replaces #5904.

When no caBundle or caProvider is configured, the Kubernetes provider should fall back to system certificate roots instead of rejecting the configuration. This matches client-go/kubectl default behavior.

Both the distroless/static and UBI images already include system CA certificates. The runtime code already handles nil CA correctly — only the validation webhook needs to change from a hard error to a warning.