Avoid setting /kind/bin to 0644

This allows runc hooks to work when not running as root (such as with
user namespaces).

images/base/Dockerfile

@@ -24,12 +24,14 @@ ARG BASE_IMAGE=debian:bookworm-slim
 FROM $BASE_IMAGE as base
 
 # copy in static files
-# all scripts are 0755 (rwx r-x r-x)
+# all scripts and directories are 0755 (rwx r-x r-x)
 # all non-scripts are 0644 (rw- r-- r--)
 COPY --chmod=0755 files/usr/local/bin/* /usr/local/bin/
 
-COPY --chmod=0644 files/kind/ /kind/
-COPY --chmod=0755 files/kind/bin/* /kind/bin/
+# Don't specify a chmod for /kind itself, else /kind/bin ends up with 0644
+# which isn't the correct permission for a directory.
+COPY files/kind/ /kind/
+COPY --chmod=0755 files/kind/bin/ /kind/bin/
 
 COPY --chmod=0644 files/LICENSES/* /LICENSES/*
 COPY --chmod=0644 files/etc/* /etc/
@@ -42,8 +44,6 @@ COPY --chmod=0644 files/etc/systemd/system/kubelet.service.d/* /etc/systemd/syst
 # Install dependencies, first from apt, then from release tarballs.
 # NOTE: we use one RUN to minimize layers.
 #
-# First we must ensure that our util scripts are executable.
-#
 # The base image already has a basic userspace + apt but we need to install more packages.
 # Packages installed are broken down into (each on a line):
 # - packages needed to run services (systemd)