[Spike] Determine path forward for container level exceptions on Kyverno

Currently there are some shortcomings with the approach we took for container level exceptions. The issue currently is that the existing solution using preconditions on all containers (ephemeralContainers, initContainers, containers) to filter out by name creates challenges when the policy needs to take into account something like pod.spec.securityContext as well as pod.spec.containers[*].securityContext.

The current solution involved rewriting particular policies to be broken up into two rules, one targeting the containers' securityContext and the other targeting the pod's securityContext. This results in a policy that is slightly different than the original. The main difference being the pod's securityContext and the containers securityContext are evaluated by separate rules which removes the ability to take advantage of the hierarchical nature of securityContext which would allow scenarios where you could specify the securityContext.runAsNonRoot for each container but omit it at the pod level like:

apiVersion: v1
kind: Pod
metadata:
  name: require-run-as-non-root
spec:
  containers:
  - name: c1
    image: nginx
    args: ["sleep", "infinity"]
    securityContext:
      runAsNonRoot: true
  initContainers:
  - name: init-c1
    image: nginx
    securityContext:
      runAsNonRoot: true