Deny list for containers to limit which containers in the application are not bound

[baijum]

The current spec supports an allow-list for containers to limit which containers in the application are bound.
Sometimes a deny-list for containers would be more appropriate. The deny-list would limit which containers in the application are not bound. The allow-list could be mutually exclusive with the deny-list (only one of them exist). I propose to add .spec.application.skipContainers field to specify the deny-list for containers.

This can be added post 1.0 release in a backward-compatible way.

[scothis]

What if we use the existing containers array, but allow container names to start with ! to negate the selection?

I'd generally discourage deny lists for security related tasks, but there are times when it's the pragmatic approach.