Global reject list for `ClusterAdmissionPolicy`. To allow operators define the namespaces where the policies should ignore. Or document a best practice to add this reject list in the policy definition.

[jvanz]

As described at threat #11 of the threat mode, bad actors can deploy workloads to namespaces not cover in the admission control. To help mitigate this, ClusterAdmissionPolicy could have a reject list configuration which allow operators to define which namespaces should be ignored by the policy. Another option is to document how operator could achieve the same behavior with the configuration already place, like the namespace selectors.

NOTE: This is an issue created from RFC discussing the admission control threat model. It's created to allow the Kubewarden team discuss the proposed mitigation further and start to work on each actionable item when possible