feat: Implement default Secure Network Policy

[vicentefb]

Currently, the SandboxClaim controller only creates a NetworkPolicy if the SandboxTemplate explicitly defines one.

In Reconcile, check if the SandboxTemplate has a NetworkPolicy defined.

Scenario A (No Policy): Create a default NetworkPolicy for this Sandbox that denies all Ingress/Egress (except necessary DNS/Proxy traffic).

Scenario B (User Policy): If a policy exists, ideally append a mandatory rule blocking (Metadata Server) to ensure even custom policies don't accidentally expose credentials.

[vicentefb]

/assign @vicentefb