feat: add network policy for workspaces

[jawnsy]

This will prevent ingress traffic for all workspace pods (already done by coderd on workspace start, but requires creation and cleanup of a network policy) via a policy defined in the Helm chart. In the future, this will make it possible to customize the ingress traffic if desired.

New policy:

$ kubectl describe networkpolicy ingress-deny-all
Name:         ingress-deny-all
Namespace:    coder-jawnsy-m
Created on:   2021-09-01 00:04:33 +0000 UTC
Labels:       app.kubernetes.io/managed-by=Helm
Annotations:  meta.helm.sh/release-name: coder
              meta.helm.sh/release-namespace: coder-jawnsy-m
Spec:
  PodSelector:     com.coder.resource=true
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress

Existing coderd-created policy (will still exist in 1.23, to be removed in 1.24 or later):

$ kubectl describe networkpolicy workspace-dxlmp
Name:         workspace-dxlmp
Namespace:    coder-jawnsy-m
Created on:   2021-09-01 00:07:39 +0000 UTC
Labels:       com.coder.environment.id=612d6e4a-21cb54ee1dc59d651f4e19e5
              com.coder.environment.name=workspace
              com.coder.resource=true
              com.coder.workspace.id=612d6e4a-21cb54ee1dc59d651f4e19e5
              com.coder.workspace.name=workspace
Annotations:  <none>
Spec:
  PodSelector:     com.coder.environment.id=612d6e4a-21cb54ee1dc59d651f4e19e5
  Allowing ingress traffic:
    <none> (Selected pods are isolated for ingress connectivity)
  Not affecting egress traffic
  Policy Types: Ingress

This is what Cilium's Network Policy Editor shows for this rule:

[shortcut-integration]

This pull request has been linked to Clubhouse Story #9782: Use single network isolation policy in helm chart.