android-emulator: new stack — shared in-cluster Android 16 testing instance

Viktor is setting up an Android app development pipeline (tripit is the
first app) and wants agents to natively test changes on Android before
shipping. This adds the testing environment: an API-36 Google emulator
under KVM as a privileged pod (namespace joins the Kyverno exclude list),
SDK/system-image/AVD on a proxmox-lvm PVC, adb on the shared MetalLB IP
10.0.20.200:5555 (LAN only), noVNC screen view at
android-emulator.viktorbarzin.lan. Image is built manually from the
stack's docker/ dir (rare rebuilds; off-infra-CI rule targets repeated
builds). First infra ADR records the trade-offs (devvm/VM/redroid/budtmo
rejected).

stacks/kyverno/modules/kyverno/security-policies.tf

@@ -23,10 +23,11 @@ locals {
     "xray", "infra-maintenance", "metrics-server", "tigera-operator", "frigate",
     # Additions discovered during wave 1 enforce flip — these contain workloads
     # that legitimately need privileged / hostNetwork / SYS_ADMIN:
-    "kured",           # kured DaemonSet is privileged (manages node reboots)
-    "default",         # etcd backup + defrag CronJobs use hostNetwork
-    "changedetection", # uses SYS_ADMIN for chromium sandbox
-    "woodpecker",      # CI pipeline pods (wp-*) run privileged docker builds
+    "kured",            # kured DaemonSet is privileged (manages node reboots)
+    "default",          # etcd backup + defrag CronJobs use hostNetwork
+    "changedetection",  # uses SYS_ADMIN for chromium sandbox
+    "woodpecker",       # CI pipeline pods (wp-*) run privileged docker builds
+    "android-emulator", # emulator pod is privileged for /dev/kvm (ADR-0001)
   ]
 }