Is your feature request related to a problem? Please describe.

When running Knative Services on a cluster managed by Zarf, image mutation currently applies uniformly to all containers in a Pod.

A Knative Service Pod always contains:

• A platform sidecar container (queue-proxy) owned and versioned by Knative
• One or more user application containers, owned by the application developer

In our environment:

• The queue-proxy image is bundled and hosted in the Zarf registry
• The user application image must be pulled from an on-prem/private registry (not Zarf-managed)

However, Zarf’s current mutation behavior rewrites all container image references in the Pod, causing one of the following failures:

• The user container image is rewritten to the Zarf registry where it does not exist
• Or Zarf must be disabled for the namespace, preventing the queue-proxy from being pulled from the Zarf bundle

Describe the behavior you'd like

Given Opt-in Mutation Mode to "only existing images"
And the namespace is managed by zarf
When the Pod is admitted
Then the Zarf agent should:

• Rewrite the image reference only if the image exists in the Zarf registry
• Leave the image unchanged if it does not exist in the Zarf registry
• the agent can (optionally) cache the results using a configurable TTL to minimize API calls to the registry.
• images with latest tags should always pull from the containers registry.

Describe alternatives you've considered

Additional context

• This feature will also work well to reduce friction in hybrid envs. where the initial services/platform are deployed with zarf and app level images should be pulled from other private/public registries.