SPIKE: Evaluate Kyverno policies not yet in audit or enforce mode

The purpose of this issue is to find out the possible impact of enabling each policy on bb packages.

Below policies are listed disabled in Sept, 2025:

• additional-policies
• additional-policyexceptions
• clone-configs
• disallow-annotations
• disallow-labels
• disallow-pod-exec
• disallow-rbac-on-default-serviceaccounts
• disallow-tolerations
• exception-require-non-root-group
• exception-require-non-root-user
• require-annotations
• require-cpu-limit
• require-image-signature
• require-memory-limit
• require-probes
• require-requests-equal-limits
• require-ro-rootfs
• restrict-group-id
• restrict-sysctl
• restrict-user-id
• update-image-pull-policy
• update-image-registry

Below policies are enabled and in Audit mode:

• disallow-auto-mount-service-account-token
• disallow-deprecated-apis
• disallow-istio-injection-bypass
• require-istio-on-namespaces
• require-labels
• sync-gitlab-root-password
• sync-gitlab-runner-secret
• update-automountserviceaccounttokens
• update-automountserviceaccounttokens-default