Introduce deny default networkpolicy to all namespaces

[phillebaba]

This change will add a network policy to all platform namespaces and then additional polices to allow traffic that is required.

There are currently two limitations with this solution which is for the most part caused by running managed clusters.

• Access to the api server cant be limited to just the specific IP as it is dynamic and resolved through DNS. OSS Calico does not support DNS based egress rules and using the IP from Terraform would be risky if that IP changes in the middle of the night. The current solution is to allow pods that need api server access egress permission to all public IPs. We shoudl re visit this in the future.
• Controller which implement Kubernetes webhooks have to allow traffic from the api server. I think I have figured out the CIDR used in AKS but we should keep an eye on this to make sure that this is correct all of the time. We still need to figure out the network policy to use in EKS to make this possible,

[NissesSenap]

You might already know this but apparently there are two ways AKS talks to Azure. One way is tunnelfrontand the other one is called aks-link I don't think we need to take this in to consideration since the network policies is already in place for them but good to think about.

aks-link is rarely mentioned in the docs https://docs.microsoft.com/en-us/azure/architecture/operator-guides/aks/aks-triage-node-health#2--verify-the-control-plane-and-worker-node-connectivity

https://github.com/Azure/AKS/issues/1923

[simongottschlag]

@phillebaba what's the status of this PR?