Allow traffic to istio-sidecar-injector on port 9443.

[jkbschmid]

Problem

NetworkPolicy blocks traffic from API server to istio-sidecar-injector.

Solution

• Allow everyone to access istio-sidecar-injector on its https port.
• Remove other ports from NetworkPolicy.
• Remove NamespaceSelector since API server has no namespace.

Fixes https://github.com/cloudfoundry/cf-for-k8s/issues/69

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/171877759

The labels on this github issue will be updated when the story is started.

[tcdowney]

Thanks @jkbschmid!

I commented on this in the original issue (https://github.com/cloudfoundry/cf-for-k8s/issues/69#issuecomment-601265320), but want to mention it here as well that this is a big indicator that the GKE clusters we're testing with in CI are not providing enough coverage.

Created a placeholder story for us to address this: https://www.pivotaltracker.com/story/show/171883349