Ship static busybox shell in k8s-device-plugin image

[rajathagasthya]

Part of NVIDIA/cloud-native-team#299.

NVIDIA STIG policy is dropping -dev distroless tags as approved
parent images. To move the k8s-device-plugin image onto a non--dev
base without changing the entrypoint or any Kubernetes manifests,
we ship a static busybox shell inside the image.

Approach

Add a debian:trixie-slim shell-builder stage to
deployments/container/Dockerfile that apt-installs busybox-static.
COPY /bin/busybox into the final stage and run
busybox --install -s /bin to populate /bin/sh, /bin/rm,
/bin/ln, etc. Flip the final base from
nvcr.io/nvidia/distroless/go:<ver>-dev to the matching non--dev
variant. Drop the existing SHELL ["/busybox/sh", "-c"] directive
and the RUN ln -s /busybox/sh /bin/sh symlink — the static busybox
install replaces them.

FROM debian:trixie-slim AS shell-builder
RUN apt-get update \
 && apt-get install --no-install-recommends -y busybox-static \
 && rm -rf /var/lib/apt/lists/*

FROM nvcr.io/nvidia/distroless/go:<version>
COPY --from=shell-builder /bin/busybox /bin/busybox
RUN ["/bin/busybox", "--install", "-s", "/bin"]

The existing nvidia-device-plugin / GFD / MPS daemon entrypoints
and Helm manifests remain untouched.

Precedent:
kubernetes-sigs/dra-driver-nvidia-gpu
uses the same pattern with bash-static.

Tracking

No PR yet — separate companion PR will be opened against this repo.

Acceptance

• Dockerfile no longer references a -dev distroless tag
• No /busybox/sh references remain; /bin/sh is provided by static busybox
• Image builds successfully on amd64 and arm64
• device-plugin / GFD / MPS daemon binaries run as before when
  consumed by gpu-operator