Add kata containers runtime

This allows running containers in lightweight VMs transparently. It should allow us to run untrusted containers in "privileged" mode safely, albeit with a performance penalty.

See #30 (closed): running a separate GitLab runner that runs kata containers should allow us to run docker-in-docker safely.