policy: fix ResourceID leak in policy importer during policy churn

[odinuge]

This fixes a slow leak where the ResourceID of a given policy is leaked
in the prefixesByResource map when a policy without a single CIDR rule
is removed.

This is a rather slow leak, where our testing shows that churning ~10
policies that all leak, results in ~75MiB of leaked memory after 24
hours. For testing purposes, we did this with both namespaces and names
of policies being UUIDs to get consistent results. This affects all
agents in the cluster, no matter if the policies select endpoints on the
node or not.

This affects cilium v1.17, and given the code has not changed, it most
likely also affects all stable versions. A following test update shows
this is indeed the case. This code was introduced in the first mentioned
commit below, but it was initially unused. Then, the last referenced
commit is the one that made policy imports use this code.

This code does deserve some rewrite to make it simpler to avoid this,
but keeping this as a simple fix to ease backports.

Fixes: 783465b ("policy: add policy import cell")
Fixes: b762c3f ("policy/k8s: switch to policy importer cell")

Fixes: #issue-number

Fix memory leak triggered by policies being created and deleted

[odinuge]

/test

[odinuge]

/test

[odinuge]

/ci-clustermesh

[odinuge]

/ci-l3-l4

[odinuge]

cc @squeed

[fristonio]

LGTM, Thanks ❤️

[odinuge]

Thanks @fristonio! Can you also add the backport labels for all supported releases now? Given the severity of this leak, and the simple fix, I think it deserves being backported to v1.17, v1.18 and v1.19.

[odinuge]

Thanks @fristonio 🙏