Feature Request: allow operators to provide custom rejection message

[viccuad]

Cluster operators may want to provide a more specific rejection message than
those provided by the policy author.

The rejection message from the cluster operator should have more priority than
the ones from the policy author, as some policies may need recompilation for
their messages to change.

Acceptance criteria

• Add a new spec.message to (Cluster)AdmissionPolicies, optional, that expects a string.
  If provided, this new field will specify the message used when the policy
  performs a rejection. This substitutes the original rejection message provided
  by the policy (usually hardcoded). The original rejection message will be
  available as part of the Warnings inside of the AdmissionResponse object.

Considerations

Both Rego and CEL already support custom rejection messages via deny[msg] { msg }
(example),
and validations[ {expression, messageExpression}]
(example). Yet Rego policies need recompilation.
Both of these messages will be part of the Warnings if the new spec.message is used.

PolicyGroups already have spec.message, and the per-member messages already are part of the Warnings.

For PolicyReports no changes are needed. The error message will end in the
PolicyReportResult spec.Description, as usual rejection messages do. We need to
schedule work to include the messages in Warnings into PolicyReportResults
nevertheless.

In the future, we could add a new spec.messageExpression, optional, that expects a CEL expression.