Security: Harden file and directory permissions for webhook certificates

[rakshaak29]

Ⅰ. Describe what this PR does

This PR hardens the security of the webhook certificate writer by reducing overly permissive file and directory permissions in pkg/webhook/util/writer/fs.go. It also addresses TODO comments left by developers regarding whether the permissions could be reduced.

Changes made:

• Reduced webhook certificate directory permissions from 0777 (world-writable) to 0750.
• Reduced generated private key permissions (CAKey, ServerKey, ServerKey2) from 0666 (world-readable/writable) to 0600.
• Reduced generated public certificate permissions (CACert, ServerCert, ServerCert2) from 0666 to 0640.

Ⅱ. Does this pull request fix one issue?

NONE

(Note: If you ended up creating an issue with the previous template, replace NONE with fixes #<YOUR_ISSUE_NUMBER>)

Ⅲ. Describe how to verify it

1. Run the package unit tests to verify they are still successfully able to read/write the certs:

   go test ./pkg/webhook/util/writer/...

[kruise-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign furykerry for approval by writing /assign @furykerry in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Hardens the webhook certificate filesystem writer by reducing overly permissive directory and file modes used when creating/writing certificates.

Changes:

• Reduce certificate directory creation mode from 0777 to 0750.
• Reduce private key file modes from 0666 to 0600.
• Reduce certificate file modes from 0666 to 0640.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.42%. Comparing base (749e8f2) to head (3ffc324).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2420      +/-   ##
==========================================
+ Coverage   48.77%   49.42%   +0.64%     
==========================================
  Files         324      325       +1     
  Lines       27928    27950      +22     
==========================================
+ Hits        13623    13814     +191     
+ Misses      12775    12553     -222     
- Partials     1530     1583      +53     

Flag	Coverage Δ
unittests	49.42% <100.00%> (+0.64%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.