Firewalling - add network policies for the server interfaces and cluster VIP

What does this MR do and why?

This MR:

• enables the automatic generation of host endpoints by calico
• creates on all the clusters a set of rules to filter the traffic to the host endpoints and to the cluster VIP
• creates kyverno policies on the management cluster to create global network sets matching the IP addresses of the cluster nodes. There is one policy working for the clusters deployed with capo and one policy working for the clusters deployed with capm3
• creates a network policy on the management cluster only to allow some flows from the workload clusters, using the global network sets created by the kyverno policies
• defines variables for the default policy of the deployed cluster (Allow or Deny, the default being Deny), and variables to define subnets allowed to reach the GUIs, SSH, and Kubernetes API. The default is to allow from all sources.

The network policies for pod traffic to doesn't use the host network namespace is not covered by this MR.

Related reference(s)

Depends on sylva-projects/sylva-elements/helm-charts/sylva-capi-cluster!361 to remove the failsafe rules

Test coverage

Deployment of capo and capm3 clusters Verification of the logs to check that the flows are allowed, with tests of not allowed flows as well

cc: @samuelbartel , @pseite , @Yordle , @frmenguy