Change OPA Gatekeeper default enforcement from dryrun/warn to blocking/enforcing

Feature Request

General Security Improvement, BigBang team talked about changing OPA GK's enforcement from dryrun/warn to blocking/enforcing in the future during a meeting, creating this ticket to track the effort.

If I recall correctly there's a lot of prep work that needs to happen first, like improving helm chart templatization of some OPA GK constraints/constraint templates to make adjusting things like container registry whitelisting easier (in the even of an airgap registry.)
It might be a good idea to default to enforcing after implementing any additional controls like 1:1 mappings for PodSecurityPolicy controls that exist in the OPA Policy Library (https://github.com/open-policy-agent/gatekeeper-library/tree/master/library) into the BigBang implementation. (and prepare in release notes a heads up about potential changes that are coming + how to check if it'll cause issues when turned on / how a user can kick the can/override to dry run)
After the above is complete, default OPA GK policy to enforcing/blocking.

Edited May 28, 2021 by Christopher McGrath