Role resolvers

[KevinJoiner]

This PR adds the ability to get a user's rules in a downstream cluster/project via CRTBs/PRTBs. This removes the need for the escalate verb check.

[rmweir]

Good job finding a solution that adds to the resolver.

Some thoughts:

Are we comfortable using xrtb's to determine someone's access? Afaik this should be fine in this context since it is for validating the creation of xrtb's however it is worth noting that this will totally ignore any bindings that are added via kubectl or one that an app adds. cc: @cbron @MbolotSuse

@cbron can we have scaling QA see if there are any spikes when create a new prtb/crtb. If there are so many projects (from all clusters), will there be a spike when creating these slices of rules? I have witnessed 15k+ prtb's in a setup. There is probably no reason to optimize it at this time but I feel like there will be so many redundant rules returned by the resolvers that I want to make sure it isn't necessary to refine the rules we are passing around. I do worry about this less if we switch to using pointers for the PolicyRules.

[KevinJoiner]

@rmweir I think this is a good question, and I will just add a little more context.

Are we comfortable using xrtb's to determine someone's access?

The previous behavior was to only check a users permissions in the local cluster to determine access for both local and downstream clusters. This new approach keeps that behavior, but also checks the users permissions in local and downstream clusters via xrtbs as well.

however it is worth noting that this will totally ignore any bindings that are added via kubectl or one that an app adds.

I don't believe this is true since all kube-api xrtb operation will pass through the webhook regardless of who originated them. Furthermore, the xrtbs that are used to determine permissions are taken from kube-api via a wrangler cache.

[MbolotSuse]

minor test comments but overall LGTM.

I would like us to get this in ASAP. This could have widespread effects in rancher, and I think a longer-than-usual testing period would be advisable for something like this.

[rmweir]

My question was actually around role bindings that were created by something other then the xrtb controllers. @KevinJoiner pointed out to me that the default resolver addresses this. LGTM.