webhooks customization should expose `namespaceSelector`

[wrdls]

Checklist

• [X] I did not find a related open enhancement request.
• [X] I understand that enhancement requests filed in the GitHub repository are by default low priority.
• [X] If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

We want to fully exclude system namespace like kube-system as well as other critical namespaces like istio-system from certain webhooks to ensure cluster stability.

See the GKE docs on this: https://cloud.google.com/kubernetes-engine/docs/how-to/optimize-webhooks#unsafe-webhooks

Additional information

Example of how this feature could look like

apiVersion: customize.core.cnrm.cloud.google.com/v1beta1
kind: ValidatingWebhookConfigurationCustomization
metadata:
  name: validating-webhook
spec:
  webhooks:
    - name: deny-immutable-field-updates
      namespaceSelector:
        matchExpressions:
          - key: kubernetes.io/metadata.name
            operator: NotIn
            values:
              - kube-system
              - kube-node-lease

Importance

This is highly important for us to consider Config Connector as a serious option to run in our production environments.

[cheftako]

@nicslatts