KPO: treat registry 5xx errors as transient during pod startup

[potiuk]

When a pod is starting, kubelet automatically retries failed image pulls with exponential backoff. KubernetesPodOperator monitors the pod via detect_pod_terminate_early_issues() in pod_manager.py and aborts early on what it deems a fatal pull error — but the transient-error pattern list did not cover registry 5xx / gateway outages. A short Docker Hub outage (502/503/504 from auth.docker.io or the registry) was being classified as fatal and would abort the pod before kubelet's next retry, even though the pull would have succeeded once upstream recovered.

Observed in this run where test_pod_hostnetwork failed with:

failed to authorize: failed to fetch anonymous token:
  unexpected status from GET https://auth.docker.io/token?...: 502 Bad Gateway
→ PodLaunchFailedException: Image cannot be pulled, unable to start: ErrImagePull

Changes

• Add canonical gateway error phrases (bad gateway, service unavailable, gateway timeout) to TRANSIENT_ERROR_PATTERNS so these conditions let kubelet keep retrying within the caller's startup_timeout budget.
• Also treat kubelet's own ImagePullBackOff back-off pulling cooldown message as transient — without it we would still bail the moment kubelet moves into its retry backoff state.
• Add direct unit tests for detect_pod_terminate_early_issues covering both the new transient patterns and the fatal cases.
• Update the existing test_await_pod_completion_breaks_on_early_termination_issue to use InvalidImageName (still fatal) instead of the now-transient ImagePullBackOff / back-off pulling combo.

startup_timeout still bounds the overall wait, and genuinely fatal pull errors (InvalidImageName, ErrImageNeverPull, manifest unknown, unauthorized, …) remain fatal.

---

Was generative AI tooling used to co-author this PR?

• Yes — Claude Code (Opus 4.7, 1M context)

Generated-by: Claude Code (Opus 4.7, 1M context) following the guidelines