Opa deny unallowed docker registries

Package Owner Merge Request

Package Changes

• Updated constraint allowed-docker-registries enforcement to default deny
• Excluded kube-system namespace for constraint allowed-docker-registries
• Excluded istio-system namespace for constraint allowed-docker-registries in template/gatekeeper/values.yaml
• Exempted Mattermost postgres container in template/gatekeeper/values.yaml
• Added docs/production.md to detail recommendation for production

Links to all MRs that are associated with this change are required.

• https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/merge_requests/65

Also, include any issues closed with "Closes #ISSUENUMBER". See example:

Closes https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/issues/61

Add any labels for affected packages so that they are deployed in CI. See example:

Once the MR is ready for review also add the status::review label.