Enable more Kyverno policies by default for workload clusters

Today the kyverno-policies unit, which defines many generic Kyverno policies, is enabled only for the management cluster.

kustomize-units/kyverno-policies/generic/
├── always-allow-pdb-unhealthy-pod-eviction.yaml
├── components
│   ├── bootstrap-cluster-only
│   │   └── kustomization.yaml
│   ├── check-images
│   │   ├── check-images.yaml
│   │   └── kustomization.yaml
│   ├── descheduler
│   │   ├── kustomization.yaml
│   │   ├── resume-descheduler.yaml
│   │   └── suspend-descheduler.yaml
│   ├── disallow-default-namespace
│   │   ├── disallow-default-namespace.yaml
│   │   └── kustomization.yaml
│   ├── force-reconcile-helmreleases
│   │   ├── force-reconcile-helmreleases.yaml
│   │   └── kustomization.yaml
│   ├── loki-aggregated-secrets
│   │   ├── kustomization.yaml
│   │   └── loki-aggregated-secrets.yaml
│   ├── management-cluster-only
│   │   └── kustomization.yaml
│   └── thanos
│       ├── kustomization.yaml
│       ├── resume-thanos-compactor.yaml
│       ├── suspend-thanos-compactor.yaml
│       └── thanos-aggregated-secrets.yaml
├── disable-automount-sa.yaml
├── ensure-force-cluster-policy.yaml
├── ensure-pdb-minreplicas.yaml
├── ensure-pdb-unhealthypodeviction.yaml
├── kustomization.yaml
└── tag.yaml

As a result workload cluster don't get any of those policies.

Some of those, however would certainly be relevant for workload clusters, and some would perhaps be desirable (or even required) from a security standpoint, or from a reliability standpoint.

However we can't safely enable all of them without risking incompatibilities with CNFs or other workloads.

We need to enable more of those policies after discussing which are required in workload clusters

Related issue (as an example): #1700 (closed)

/cc @alain.thioliere @cristian.manda @feleouet @pseite @samuelbartel