feat(scorecard): add psa labels for scorecard namespace

[tthvo]

Welcome to Cryostat! 👋

Before contributing, make sure you have:

• Read the contributing guidelines
• Linked a relevant issue which this PR resolves
• Linked any other relevant issues, PR's, or documentation, if any
• Resolved all conflicts, if any
• Rebased your branch PR on top of the latest upstream main branch
• Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
• Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

---

Related to #450

Description of the change:

Label namespace to warn and audit violations to restricted standards. This is similar to SCC on OpenShift 4.11 or 4.12 (if I remember correctly).

Ideally, we would want to set enforcing mode but there is an issue with the bundle pod (ie. runAsNonRoot is not true) - See below.

Motivation for the change:

Scorecard pods are run with security contexts conforming to restricted standards.

cryostat-operator/Makefile

Line 141 in 5c3769f

operator-sdk scorecard -n $(SCORECARD_NAMESPACE) -s cryostat-scorecard -w 20m $(BUNDLE_IMG) --pod-security=restricted

However, scorecard namespace is not labelled to enforce such restricted policy.

[tthvo]

This is mainly for running on k8s clusters (i.e OCP should already have SCC). I could not use enforce restricted mode due to:

INFO[0008] Creating a File-Based Catalog of the bundle "quay.io/cryostat/cryostat-operator-bundle:2.4.0-dev" 
INFO[0009] Generated a valid File-Based Catalog         
FATA[0009] Failed to run bundle: create catalog: error creating registry pod: error creating pod: pods "quay-io-cryostat-cryostat-operator-bundle-2-4-0-dev" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "registry-grpc" must set securityContext.runAsNonRoot=true) 

Issue: operator-framework/operator-sdk#6430

[ebaron]

Hey @tthvo! Thanks for doing this, great idea! Just one small nit.

[ebaron]

Looks good! Thanks again @tthvo!