Update default gatekeeper enforcement

[viktor-f]

Is your feature request related to a problem? Please describe. We recently found that warn is an option for enforcement, which serves as a nice middle ground between deny and dry-run. Changing some of our policies to that could help users adopt some gatekeeper policies, since dry-run is easy to ignore and some of our deny policies are hard to comply with for new users.

Describe the solution you'd like Change the default for networkpolicy and container registry policies to warn, since these are usually the hardest to comply with. Change deny-latest to deny, since that is very important and relatively easy to comply with. Keep require-resource-requests as deny since that is also important and easy to comply with.

The migration guide should include recommendations on how to work with this for current users. The most important part here is that it can be very disruptive to change enforcement to deny from dry-run or warn, so only do that with explicit permission from users. Here are some suggestions:

• If the new default is deny and the environment does not already have deny on that specific policy, then override with warn and inform the user that they should work toward being able to have deny in the future.
• If the new default is warn and the environment has deny, then leave it at deny (possibly requiring an override config).
• If the new default is warn and the environment has dry-run, then use warn (possibly requiring removal of override config).

Also update the public documentation to inform about the new warn level of some policies. Users might otherwise find it confusing when a lot of new warnings are popping up in their terminal/ci-cd pipeline.

Describe alternatives you've considered

Additional context

Definition of done:

• Default enforcement is changed.
• Migration guide includes suggestions on how to handle config and when to inform users.
• Public docs is updated to explain these warnings.