Describe the feature

Currently it's possible to specify fobibben labels and annotations on namespaces. But no way of forbiddin labels or annotations on Pods.

Also, it would be nice to forbid some Tolerations on pods.

What would the new user story look like?

1. Cluster admin specifies forbiddin labels / annotations / Tolerations under PodOptions.
2. When the Tenants tries to create a pod with the fobidden label / annotaion / Toleration the Capsule webhook does admit it.
3. Error shown to the Tenant is that the pods contains forbidden label / annnotation / Toleration

The use case which brough this up, is a cluster where some tenants are allowed to use nodes for spcialt communication with a gateway. These nodes have taints to only allow cetain pods.

But because Capsule doens't have a way of forbid Tenants to put the Tolerations on, every Tenant can be scheduled on these nods.