[PLATFORM-2185] Configure Image Provenance admission control with Gatekeeper

Chart.yaml

 apiVersion: v2
 name: constraint-templates
-version: 1.5.4
+version: 1.5.5
 appVersion: 1.0.0

templates/constraint_image_admission_controller.yaml

+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8simageprovenance
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sImageProvenance
+      validation:
+        openAPIV3Schema:
+          type: object
+          properties:
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8simageprovenance
+
+        violation[{"msg": msg}] {
+          input.review.object.kind == "Pod"
+          container := input.review.object.spec.containers[_]
+          not startswith(container.image, "docker.io/")
+          not startswith(container.image, "quay.io/")
+          not startswith(container.image, "public.ecr.aws/")
+          not startswith(container.image, "gcr.io/")
+          not startswith(container.image, "ghcr.io/")
+          not startswith(container.image, "harbor.")
+          not startswith(container.image, "gitlab.")
+          msg := sprintf("Image %v is not from an allowed repository", [container.image])
+        }
+---
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sImageProvenance
+metadata:
+  name: image-provenance-constraint
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]