For each Ray cluster created in the context of Distributed Workloads, a NetworkPolicy should be created, that blocks all ingress traffic to that Ray cluster head node HTTP / REST API / Dashboard endpoint, except:

• From Pods within the local Ray cluster namespace
• From the KubeRay controller deployed in the RHOAI application namespace

That should be done in the DW RayCluster controller.

Acceptance criteria:

• As a data scientist, I can create a Ray cluster, with "zero-trust" security enabled by default, and:
  • Access the dashboard, after login from the Web browser
  • Connect to my cluster from within the notebook using the CodeFlare SDK and submit jobs
• As a data scientist, I can create a RayJob resource, and that RayJob runs successfully in the target Ray cluster
• As a platform admin, given I create a Pod in a different namespace that the previously created Ray cluster, and I exec into that Pod, I cannot access any of the Ray cluster endpoints (client, dashboard, GCS,  metrics)