Description

Currently, all namespace "deckhouses" are excluded from admission-policy-engine checks.

This is because there is no convenient tool for setting specific exceptions to checks for specific services.

In this PR, I'm added these mechanism: a new SecurityPolicyException custom resource that allows administrators to define fine-grained exceptions to security policies. Pods can reference exceptions via the security.deckhouse.io/security-policy-exception label, enabling selective exemptions without excluding entire namespaces.

The implementation includes:

• New SecurityPolicyException CRD with support for exceptions across all security policy parameters (securityContext, network, volumes, etc.)
• Updated constraint templates to check for exceptions before enforcing policies
• Bump Gatekeeper up to v3.20.1 for support rego v1 in constraint templates
• Handling label security.deckhouse.io/enable-security-policy-check to enable security checking for system namespaces
• Gatekeeper configuration updated to sync SecurityPolicyException resources
• Comprehensive test coverage for exception scenarios across all constraint templates

Why do we need it, and what problem does it solve?

Security improvements: This change enables more granular security policy management by allowing specific exceptions for individual services or pods, rather than blanket exclusions of entire namespaces. This improves security posture by minimizing the scope of exceptions while maintaining operational flexibility.

Checklist

• The code is covered by unit tests.
• e2e tests passed.
• Documentation updated according to the changes.
• Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: admission-policy-engine
type: feature 
summary: Added SecurityPolicyException CRD for fine-grained security policy exceptions
impact_level: low