Replace Gatekeeper policy tests with Kyverno

Closes https://repo1.dso.mil/platform-one/big-bang/bigbang/-/issues/717

The kyverno_policy_tests.sh script can be ran locally from the root of a Big Bang package repository to see the results

This MR establishes the logic of executing policy linting with kyverno cli against Big Bang packages

Further works needs to be done to be able to dynamically grab the validationFailureAction from the kyverno policy manifests, and fail/pass the pipeline based on what that field is set to.

If the field is set to enforce, the kyverno policy should fail the pipeline if violated

If the field is set to audit, the kyverno policy should allow the pipeline to pass if violated, but flag a warning. This is accomplished by adding the policies.kyverno.io/scored: false annotation to the kyverno policy before execution.

More info on kyverno validation can be found here

More info on installing and using the kyverno cli can be found here

Changes:

• Replaced Gatekeeper policy tests with Kyverno

• Removed policy that validates whether pods have a status.qosClass of Guaranteed. See this doc for more information. The status.qosClass field is only present in pod YAML at runtime, so this check would never be satisfied because our pipelines perform policy checks against Kubernetes resources prior to being installed onto a cluster.

• Updated bb-ci image to version 2.5.3

• Added kyverno cli to bb-ci image

• Updated helm cli in bb-ci image

• Removed conftest binary and helm plugin from bb-ci image

Tests:

The configuration validation job in these pipelines executes the kyverno apply command against a given Big Bang package and shows the failed policy checks in the output under Kyverno Policy Tests in the pipeline output.

• istio-controlplane
• istio-operator
• monitoring
• elasticsearch-kibana
• jaeger
• argocd
• kiali
• gatekeeper