bug: modified add-ambient-mode-namespace to not apply on kube-system nor istio-system namespace

[Shreesh-Gawande]

Related Issue(s)

Fixed #1280

Description

What does this PR do?

This PR updates the add-ambient-mode-namespace policy to prevent it from applying to system-critical namespaces. Specifically, it excludes kube-system and istio-system from being automatically labeled for the Istio Ambient data plane.

Additionally, this PR introduces a comprehensive test suite (kyverno-test.yaml) to validate the correctness of this exclusion logic.

Why is this change needed?

The original policy applied the istio.io/dataplane-mode=ambient label to all namespaces indiscriminately. Applying this label to system namespaces like kube-system and istio-system is not recommended and can lead to unexpected behavior or conflicts with core system components.

This change ensures the policy adheres to best practices by targeting only application namespaces, making it safer and more robust.

How were these changes implemented?

Policy Modification: An exclude block was added to the policy rule to explicitly ignore the kube-system and istio-system namespaces.

Test Suite Enhancement: The kyverno-test.yaml manifest has been updated to include test cases that verify:

The policy rule is correctly skipped for kube-system.

The policy rule is correctly skipped for istio-system.

• I have read the policy contribution guidelines.
• I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
• I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

[JimBugwadia]

@Shreesh-Gawande - can you please help resolve the conflicts. so we can review and merge?