Implement more helm rego checks

[dimitarvdimitrov]

A follow-up on #2137

What more checks we can add:

• all containers have the restricted security context - a test for Deployment mustRunAsNonRoot #2595
• all pods are covered by some ServiceMonitor/PodLogs; metamonitoring is restricted to pod from the chart
• some implicit naming conventions: to scrape PVC volumes information for metamonitoring (helm: meta-monitoring #2068) we assume that the PVCs created by the chart have a storage- prefix. If this prefix is changed in any of the StatefulSets the metamonitoring will break and stop collecting data for the volumes. We have no way of knowing this during the review process now.
• Verify that all component have an attached volume under /data. The default mimir.config assumes /data is a mounted directory.
• all resources have the standard kubernetes annotations (app.kubernetes.io/)
• verify that all resources have an explicit namespace (Helm: fix namespace issues #2123)

[mattmendick]

Removing the squad/customer label from this issue since this is a bit of a pet project. If you feel like this should be something that a larger group of people chip away at officially, put it on the next quarter planning spreadsheet. Creating smaller issues made from this might be another good strategy.

[dimitarvdimitrov]

I don't have plans to work on this anymore, so I'm closing it