remove some namespaces from privileged_ns for guardrails

[yjst2012]

Which issue this PR addresses:

Fixes ARO-15551

What this PR does / why we need it:

removed some unnecessary namespaces from privileged_ns in common.rego, as some of them are empty after fresh install or found Customer's operations in that ns from previous sample rollout in dryrun mode:

empty namespaces found on sre-shared-cluster:
No resources found in kube-node-lease namespace.
No resources found in kube-public namespace.
No resources found in openshift-config-managed namespace.
No resources found in openshift-console-user-settings namespace.
No resources found in openshift-host-network namespace.
No resources found in openshift-operators namespace.

reported customer's violations from fleet in namespace openshift-operator-lifecycle-manager
- [email protected] not allowed to DELETE catalog-operator-xxx-xxx(or olm-operator-xxx-xxx) in namespace openshift-operator-lifecycle-manager

Test plan for issue:

$ ./scripts/test.sh
expand constraints gkconstraints/aro-cluster-role-deny.yaml
expand constraints gkconstraints/aro-machine-config-deny.yaml
expand constraints gkconstraints/aro-machines-deny.yaml
expand constraints gkconstraints/aro-master-toleration-pod-deny.yaml
expand constraints gkconstraints/aro-privileged-namespace-deny.yaml
expand constraints gkconstraints/aro-pull-secret-deny.yaml
expand constraints gkconstraints/aro-service-account-deny.yaml
[opa test] -> gktemplates-src/library/common.rego gktemplates-src/aro-deny-delete-pull-secret/*.rego
PASS: 4/4
[gator verify] -> gktemplates-src/aro-deny-delete-pull-secret
=== RUN deny-pull-secret-delete-tests
=== RUN allow-create-pull-secret
--- PASS: allow-create-pull-secret (0.005s)
=== RUN allow-update-pull-secret
--- PASS: allow-update-pull-secret (0.003s)
=== RUN not-allow-delete-pull-secret
--- PASS: not-allow-delete-pull-secret (0.003s)
--- PASS: deny-pull-secret-delete-tests (0.017s)
ok gktemplates-src/aro-deny-delete-pull-secret/suite.yaml 0.017s
PASS

[opa test] -> gktemplates-src/library/common.rego gktemplates-src/aro-deny-labels/*.rego
PASS: 3/3
[gator verify] -> gktemplates-src/aro-deny-labels
=== RUN machines-deny
=== RUN master-machine-deny
--- PASS: master-machine-deny (0.003s)
=== RUN worker-machine-allowed
--- PASS: worker-machine-allowed (0.002s)
=== RUN no-label-machine-allowed
--- PASS: no-label-machine-allowed (0.002s)
--- PASS: machines-deny (0.011s)
ok gktemplates-src/aro-deny-labels/suite.yaml 0.011s
PASS

[opa test] -> gktemplates-src/library/common.rego gktemplates-src/aro-deny-machine-config/*.rego
PASS: 5/5
[gator verify] -> gktemplates-src/aro-deny-machine-config
=== RUN deny-cluster-machineconfig-modification-tests
=== RUN not-allow-create-cluster-machine-config
--- PASS: not-allow-create-cluster-machine-config (0.005s)
=== RUN not-allow-delete-cluster-machine-config
--- PASS: not-allow-delete-cluster-machine-config (0.003s)
=== RUN not-allow-update-cluster-machine-config
--- PASS: not-allow-update-cluster-machine-config (0.003s)
=== RUN allow-create-custom-machine-config
--- PASS: allow-create-custom-machine-config (0.005s)
=== RUN allow-delete-custom-machine-config
--- PASS: allow-delete-custom-machine-config (0.003s)
--- PASS: deny-cluster-machineconfig-modification-tests (0.023s)
ok gktemplates-src/aro-deny-machine-config/suite.yaml 0.023s
PASS

[opa test] -> gktemplates-src/library/common.rego gktemplates-src/aro-deny-master-toleration-taints/*.rego
PASS: 5/5
[gator verify] -> gktemplates-src/aro-deny-master-toleration-taints
=== RUN deny-master-toleration-taint-pods-in-nonprivileged-namespaces
=== RUN create-not-allowed-in-nonprivileged-namespaces
--- PASS: create-not-allowed-in-nonprivileged-namespaces (0.004s)
=== RUN create-allowed-in-privileged-namespaces
--- PASS: create-allowed-in-privileged-namespaces (0.004s)
=== RUN update-not-allowed-in-nonprivileged-namespaces
--- PASS: update-not-allowed-in-nonprivileged-namespaces (0.005s)
=== RUN deletion-allowed-in-nonprivileged-namespaces
--- PASS: deletion-allowed-in-nonprivileged-namespaces (0.003s)
--- PASS: deny-master-toleration-taint-pods-in-nonprivileged-namespaces (0.020s)
ok gktemplates-src/aro-deny-master-toleration-taints/suite.yaml 0.020s
PASS

[opa test] -> gktemplates-src/library/common.rego gktemplates-src/aro-deny-privileged-namespace/*.rego
PASS: 16/16
[gator verify] -> gktemplates-src/aro-deny-privileged-namespace
=== RUN privileged-namespace
=== RUN ns-allowed-pod
--- PASS: ns-allowed-pod (0.005s)
=== RUN ns-disallowed-pod
--- PASS: ns-disallowed-pod (0.005s)
=== RUN ns-disallowed-deploy
--- PASS: ns-disallowed-deploy (0.004s)
=== RUN ns-allowed-deploy
--- PASS: ns-allowed-deploy (0.004s)
--- PASS: privileged-namespace (0.023s)
ok gktemplates-src/aro-deny-privileged-namespace/suite.yaml 0.023s
PASS

[opa test] -> gktemplates-src/library/common.rego gktemplates-src/library/*.rego
[gator verify] -> gktemplates-src/library
PASS

Is there any documentation that needs to be updated for this PR?

N/A

How do you know this will function as expected in production?

the change is quite straightforward and has been tested on a test cluster

[github-actions]

Please rebase pull request.