feat: improve oci registry support

[oliverbaehler]

Describe the feature

Currently we have a very primitive way of enforcing OCI Registries for workloads:

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: solar
spec:
  owners:
  - name: alice
    kind: User
  containerRegistries:
    allowed:
    - docker.io
    - quay.io
    allowedRegex: 'internal.registry.\\w.tld'

Registries

The enforcement of allowed registries is becoming such a core component, especially with [OCI Volumes mounts being stable[(https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/), we must provide a better enforcement of OCI Registires. In Addition we must also consider the handling of v2 registries (as with harbor for example, where the registry is derived from a path).

What would the new user story look like?

How would the new interaction with Capsule look like? E.g.

1. Add a new top-level structure where we will move all workload related properties to in the future:

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: solar
spec:
  owners:
  - name: alice
    kind: User

  workloads: {}

2. Create a structure where oci registries can be defined. I suggest binding the pullpolicy to each registry:

---
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: solar
spec:
  owners:
  - name: alice
    kind: User
  enforce:
    registries:
      -  endpoint: "harbor/v2/proxy-gcr.io/*" (Probably suppport Regex)
         pullPolicy: "ifNotPresent" (defaults to ifNotPresent)
         pods: true (defaults to true)
         volumes: true (defaults to true)

3. Add Validating to intercept pod volumes where type is image and verify against registires, if set
4. Implement Registries which are complianet with v2 format.

[prometherion]

Fine for me in supporting regex, it absolutely makes sense.