[codex] Support kubernetes v36 in Iris

[yonromai]

Summary

• Allow Iris to run with kubernetes==36.0.0.
• Bridge the v36 bearer-token key change for kubeconfig and in-cluster clients.
• Decode pod logs from raw response bytes before limit_bytes trimming.

Upstream Auth Change

kubernetes==36.0.0 changed the generated client auth lookup from authorization to BearerToken, but the released v36 config loaders still populate authorization. Iris mirrors the loaded token into both keys so generated APIs authenticate and refresh hooks keep both aliases current.

The core upstream quote is from the release-36.0 changelog: Configuration auth uses 'BearerToken' instead of 'authorization' in api_key.

Additional upstream evidence

• The v36 generated client checks BearerToken: if 'BearerToken' in self.api_key:
• The v36 in-cluster loader still writes authorization: client_configuration.api_key['authorization'] = self.token
• The v36 kubeconfig loader still writes authorization: client_configuration.api_key['authorization'] = self.token
• Upstream fix PR kubernetes-client/python#2585 describes the same loader mismatch as they still write api_key['authorization'] and the failure mode as silently send unauthenticated requests.
• Upstream issue kubernetes-client/python#2582 matches the observed failure shape: headers: {} and system:anonymous.

Validation

• cd lib/iris && uv run --group dev python -m pytest --tb=short tests/cluster/providers/k8s/test_cloud_k8s_service.py (44 passed)
• cd lib/iris && uv run --group dev python -m pytest --tb=short tests/cluster/providers/k8s (250 passed)
• ./infra/pre-commit.py --files lib/iris/src/iris/cluster/providers/k8s/service.py lib/iris/tests/cluster/providers/k8s/test_cloud_k8s_service.py lib/iris/pyproject.toml uv.lock (passed)
• Manual CW kubeconfig repro lists pods in iris-ci with both auth aliases present.
• Manual CW in-cluster probe confirmed kubernetes 36.0.0 and both auth aliases.
• CoreWeave smoke passed on the pre-rebase equivalent patch: run 26311058587, job 77461399389.

[yonromai]

🤖 Closing this draft without merging. We are keeping Iris pinned to the known-good Kubernetes Python client v35 line via #5914 and tracking the future upgrade after an upstream fixed release in #5924.