feat: propose k8s admission policy controller design

[AKonnyaku]

We will define a k8s-native admission policy controller that makes casbin easy to run and operate.

• unify crd-based policy storage and informer watcher to manage k8s resource policies
• implement admission webhook for create and update operations, querying casbin models for allow or deny decisions
• provide rule templates for pod security, image tag validation, resource quotas and namespace isolation scenarios
• add dry-run mode, audit of existing resources and metrics to support safe rollout and operational visibility
• package helm charts and a cli tool for installation and include ci benchmarks to guard performance and correctness