Add finer grained control over OPA Gatekeeper constraint exceptions

Currently, the constraints only allow exception by entire namespace (e.g. ignore constraint for namespace) or by a global parameter (e.g. always allow image pulls from myrepo.com) for that constraint. However both of these are too broad of scope and allow for manipulation too easily.

In the allowed repos constraint, there is a "exemptContainers" parameter that can be used to exempt a specific container name. This issue would be to expand this concept to all Constraints that apply to "Pods" so that a specific container can be made an exception.

In addition, this issue would expand the exemptContainers concept to include namespace so that the container could match a specific namespace (e.g. monitoring/node-exporter would exempt the container 'node-exporter' in the 'monitoring' namespace only.

Lastly, this issue would make sure all default exceptions (except kube-system namespace) are contained in BigBang's gatekeeper values file, conditional on whether the package is enabled or not for the exception (e.g. monitoring is enabled, so add node-exporter as an exception)