feat: add label-based exclusion to inject-coco-initdata policy

Add exclude block to inject-coco-initdata Kyverno policy to skip
pods with label coco.io/skip-initdata: "true".

This allows special-purpose kata pods (like firmware collection pods)
to bypass init_data injection when they don't need attestation to KBS.

Use case: The firmware collection workflow (PR #89) needs to launch
a kata pod to collect TEE measurements using veritas, but doesn't
require init_data injection since it only accesses the TEE device
directly and doesn't request secrets from KBS.

Without this exclusion, the policy tries to inject init_data but
fails because the pod doesn't have the coco.io/initdata-configmap
annotation, blocking pod creation.

Usage: Add label coco.io/skip-initdata: "true" to any kata pod that
should bypass init_data injection.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: butler54

charts/all/coco-kyverno-policies/templates/inject-coco-initdata.yaml

@@ -24,6 +24,12 @@ spec:
                 - Pod
               operations:
                 - CREATE
+      exclude:
+        any:
+          - resources:
+              selector:
+                matchLabels:
+                  coco.io/skip-initdata: "true"
       preconditions:
         all:
           - key: "{{ "{{" }}request.object.spec.runtimeClassName || '' {{ "}}" }}"