Add MutatingWebhookConfiguration rule scope

[yachub]

Is your feature request related to a problem? Please describe.

We received a suggestion in GKE that the vault-agent-injector-cfg was "Intercepting resources in the kube-system namespace" and linked to their docs at https://cloud.google.com/kubernetes-engine/docs/how-to/optimize-webhooks#unsafe-webhooks for resolution.

Specifically, "A webhook is flagged if scope is *. Or, a webhook is flagged if scope is Namespaced and includes kube-system and kube-node-lease".

If a webhook is intercepting any resources in system-managed namespaces, or certain types of resources, GKE considers this unsafe and recommends that you update the webhooks to avoid intercepting these resources.

Describe the solution you'd like

If I'm understanding correctly, should an optional rule scope be added to the MutatingWebhookConfiguration?

vault-helm/templates/injector-mutating-webhook.yaml

Lines 34 to 38 in 36dafa0

	rules:
	- operations: ["CREATE", "UPDATE"]
	apiGroups: [""]
	apiVersions: ["v1"]
	resources: ["pods"]

Describe alternatives you've considered
None

Additional context
None