Create a policy to detect 'oc debug'

[shaneboulden]

Adds a new policy to detect attempts to access pods using oc debug.

Note that oc debug doesn't invoke kubectl exec or similar commands to access the pod, instead creating a new debug pod configured the same as the original pod. For this reason we need to look at process activity inside pods (that look like /bin/sh or /bin/bash), and account for the ability of users to customise the shell via oc debug --shell.

Ideally we would distinguish this activity based on pod name or pod annotations like debug.openshift.io/source-container, but this is not currently possible for runtime policies. Instead we label this as "Possible oc debug activity", and guide users towards the OpenShift audit logs for validation.