Update k8s_containers macro to allow more to contact k8s API server

[mossroy]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind feature

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area rules

/area registry

/area build

/area documentation

Proposed rule maturity level

Uncomment one (or more) /area <> lines (only for PRs that add or modify rules):

/area maturity-stable

/area maturity-incubating

/area maturity-sandbox

/area maturity-deprecated

What this PR does / why we need it:

This PR enhances the existing stable rule " Contact K8S API Server From Container" with a few adjustments:

• grafana uses k8s-sidecar containers, that call the API server
• snapshot-controller (from sig-storage) needs the API server
• velero/velero container can also be prefixed with docker.io/
• nfs-subdir-external-provisioner (from sig-storage) needs the API server
• prometheus containers use the API server as a target (with default configuration of kube-prometheus-stack helm chart)

There's another scenario that can trigger this rule with the kube-prometheus-stack helm chart. Depending on your values.yaml, it can run a job that deploys the CRDs. This job uses a container based on registry.k8s.io/kubectl image with command kubectl apply --server-side --filename /tmp/crds.yaml, that triggers this rule. However, I did not find a clean and generic way to implement an exception for it

[mossroy]

Wrong target repo: closing, superseded by falcosecurity#323