Navigator should be able to operate in a cluster where PodSecurityPolicy is enabled

[wallrj]

https://kubernetes.io/docs/concepts/policy/pod-security-policy/

It looks like we need a way for users to choose the name of a PodSecurityPolicy to use for the service accounts generated by the Navigator controller.

• Maybe have the helm chart install a PodSecurityPolicy suitable for use by Navigator database service accounts.
• And have helm install an RBAC ClusterRole which allows the subject to use that PSP.
• And have the Navigator controller create role bindings for each service account, binding it to the ClusterRole above.
• We should run E2E tests in a cluster where there's a very restrictive default PodSecurityPolicy.

/kind feature