Specify network policy labels for admission component

- allow talking to DNS and to virtual KAPI
- allow being reached by KAPI (via 'all-webhook-targets')

charts/gardener-extension-admission-aws/charts/runtime/templates/deployment.yaml

@@ -20,6 +20,8 @@ spec:
         checksum/gardener-extension-admission-aws-kubeconfig: {{ include (print $.Template.BasePath "/secret-kubeconfig.yaml") . | sha256sum }}
         {{- end }}
       labels:
+        networking.gardener.cloud/to-dns: allowed
+        networking.resources.gardener.cloud/to-virtual-garden-kube-apiserver-tcp-443: allowed
 {{ include "labels" . | indent 8 }}
     spec:
       {{- if not .Values.global.virtualGarden.enabled }}

charts/gardener-extension-admission-aws/charts/runtime/templates/service.yaml

@@ -3,8 +3,9 @@ kind: Service
 metadata:
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
-  {{- if .Values.global.service.topologyAwareRouting.enabled }}
   annotations:
+    networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":{{ .Values.global.webhookConfig.serverPort }}}]'
+  {{- if .Values.global.service.topologyAwareRouting.enabled }}
     service.kubernetes.io/topology-aware-hints: "auto"
   {{- end }}
   labels: