RunAsUserName Policy Constraint for windows pods

[jsturtevant]

Describe the solution you'd like
A policy that blocks ContainerAdministrator from being set on the WindowsOptions podspec. It is generally a good idea to run your containers with ContainerUser for windows pods. The users are not shared between the Container and host but the ContainerAdministrator does have additional privileges with in the container. In the PR for kubernetes/kubernetes#92355 an agree was made block ContainerAdministrator if RunAsNonRoot was specified.

The pod sec looks like (can also be set per container):

spec:
  securityContext:
    windowsOptions:
      runAsUserName: "ContainerUser"

There are also username limitations to be aware of: https://kubernetes.io/docs/tasks/configure-pod-container/configure-runasusername/#windows-username-limitations

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

The following has more information on Windows Security Policies which are currently being defined:
kubernetes/kubernetes#64801 (comment)

Environment:

• Gatekeeper version:
• Kubernetes version: (use kubectl version):

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.