Implement privileged namespace security policy update for tilt-prepare

This commit updates the updateNamespaceSecurityPolicy function to set the
pod-security.kubernetes.io/enforce label to 'privileged' for Namespace objects.

Signed-off-by: Max Rantil <max.rantil@est.tech>

hack/tools/internal/tilt-prepare/main.go

@@ -788,6 +788,10 @@ func writeIfChanged(prefix string, path string, yaml []byte) error {
 // This has the affect that the appended ones will take precedence, as those are read last.
 // Finally, we modify the deployment to enable prometheus metrics scraping.
 func prepareWorkload(name, prefix, binaryName, containerName string, objs []unstructured.Unstructured, ts *tiltSettings) error {
+	err := updateNamespaceSecurityPolicy(objs)
+	if err != nil {
+		return errors.Wrapf(err, "[%s] failed to update Namespace security policy", prefix)
+	}
 	return updateDeployment(prefix, objs, func(deployment *appsv1.Deployment) {
 		for j, container := range deployment.Spec.Template.Spec.Containers {
 			if container.Name != containerName {
@@ -957,3 +961,21 @@ func getProviderObj(version *string) func(prefix string, objs []unstructured.Uns
 		return providerObj, nil
 	}
 }
+
+// updateNamespaceSecurityPolicy updates the pod-security.kubernetes.io/enforce label to "privileged" for Namespace objects.
+func updateNamespaceSecurityPolicy(objs []unstructured.Unstructured) error {
+	for i, obj := range objs {
+		if obj.GetKind() != "Namespace" {
+			continue
+		}
+		labels := obj.GetLabels()
+		if labels == nil {
+			labels = make(map[string]string)
+		}
+		labels["pod-security.kubernetes.io/enforce"] = "privileged"
+		obj.SetLabels(labels)
+		objs[i] = obj
+		return nil // Return immediately once the Namespace is updated
+	}
+	return fmt.Errorf("no Namespace object found to update")
+}