Default allow_privilege_escalation to False

Allows it to be set to None as well, to not set the property.

This is a breaking change for hubs where admins were granting
sudo rights to users. That already required some extra work,
so this would be an additional propety to set for that. The
added security benefit from this much more secure default is
well worth the breakage IMO.

Fixes #544

kubespawner/objects.py

@@ -334,8 +334,8 @@ def make_pod(
         container_security_context.run_as_group = int(run_as_gid)
     if run_privileged:
         container_security_context.privileged = True
-    if not allow_privilege_escalation:
-        container_security_context.allow_privilege_escalation = False
+    if not allow_privilege_escalation is not None:
+        container_security_context.allow_privilege_escalation = allow_privilege_escalation
     # Only clutter container spec with actual content
     if all([e is None for e in container_security_context.to_dict().values()]):
         container_security_context = None

kubespawner/spawner.py

@@ -747,15 +747,21 @@ def _validate_image_pull_secrets(self, proposal):
     )
 
     allow_privilege_escalation = Bool(
-        True,
+        False,
         config=True,
+        allow_none=True,
         help="""
         Controls whether a process can gain more privileges than its parent process.
-        
-        This bool directly controls whether the no_new_privs flag gets set on the container 
+
+        When set to False (the default), the primary user visible effect is that
+        setuid binaries (like sudo) will no longer work.
+
+        When set to None, the defaults for the cluster are respected.
+
+        This bool directly controls whether the no_new_privs flag gets set on the container
         process.
 
-        AllowPrivilegeEscalation is true always when the container is: 
+        AllowPrivilegeEscalation is true always when the container is:
         1) run as Privileged OR 2) has CAP_SYS_ADMIN.
         """
     )