Consider a mode for hermetic builds

[mattmoor]

We should be able to restrict the network access of steps so that users can enforce the hermeticity of their builds.

In terms of mechanism something to consider is that service meshes like Istio inject egress proxies in addition to handling ingress. Perhaps we could leverage this mechanic to block (or perhaps filter) outbound traffic.

We would need the capacity for Source to run outside of this. We would likely also need a way to opt steps out, so that they may publish artifacts from the build.

[knative-housekeeping-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale