Implement workspace-based isolation of downstream namespaces through NetworkPolicies

[sttts]

Without NetworkPolicies in place, a tenant workload can connect to any IP in the location. This means it can port scan and maliciously interact with other tenants' workloads and services.

Question was whether we want to sync NetworkPolicies. My take:

1. we should use network policies to stop any ingress+egress traffic with namespaces that are not part of the workspace, but allow all ingress+egress within synced namespaces of the same workspace. As far as I see, namespace label selectors should be able to do that.
2. if the user wants to specify extra policies between namespaces of one workspace, I don't see why this shouldn't work and shouldn't be offered. I.e. during syncing we have to transform the policy a little to include the policy in (1). I hope that works. Somebody has to work that out in detail.

[ncdc]

Let's flesh out some specific action items for this - maybe turn into a mini-epic or split into separate specific tasks

[davidfestal]

Current take on this is summarized in ths comment: https://github.com/kcp-dev/contrib-tmc/issues/95

[mjudeikis]

/transfer-issue contrib-tmc