docs: add CEL ValidatingPolicy golden path (MVP)

[sjiang83]

This PR adds one standalone guide page: a minimal CEL-first “golden path” for ValidatingPolicy.

Scope (MVP)

• One page
• One scenario: Namespace must have the team label
• Uses policies.kyverno.io/v1 ValidatingPolicy with validationActions: [Deny]

How to verify

• Primary path: cluster admission via kubectl apply (shows the real admission deny behavior).
• Optional: local smoke test via kyverno apply using the same YAML (see the guide).

Tested with

• Kyverno CLI: v1.17.0 (commit 3e5e7756)
• kubectl: v1.35.0
• Kyverno (cluster): v1.17+

[sjiang83]

Receipt (local CLI smoke test)

Kyverno CLI:

• kyverno version => v1.17.0 (commit 3e5e775669753daae01e280298f85b4604db9198)

Commands:

1. kyverno apply policy.yaml --resource ns-good.yaml
   Expected anchor: pass/passed

2. kyverno apply policy.yaml --resource ns-bad.yaml
   Expected anchor: output contains:
   "Namespaces must have the 'team' label."

Observed (ns-bad.yaml):
pass: 0, fail: 1, warn: 0, error: 0, skip: 0