Allow operators to exec into pods

[Krenair]

No description provided.

[chrisfarms]

I can't think of anything dangerous you could do with a Pod exec that you couldn't already do with the existing Pod create/patch permissions. So I don't really see any problem with allowing this for "namespace operators".

At one point in the past, we had the intention to enforce image provenance with Notary - even for "namespace operators") which would mean you can always know what code is running and where it came from.... exec would have allowed you to effectively bypass that restriction. However no such restriction is in place.

It does slightly reduce the ability to know what code is executing in the cluster. With the ability to exec you can no longer look at the image+digest and have any confidence that the code executing in the container is the same as is stored in the image+digest. But I believe this is a risk we are willing to accept for dev-namespaces, which after all are all about making it easier to debug without the constraints of the prod restrictions.

We might want to add an amendment to ADR43 for good housekeeping with this decision as part of this PR