Limit privileges of DevWorkspace serviceaccount

[amisevsk]

Description

I came across a half-written TODO today (I wrote it -- it's my bad):

// TODO: The rolebindings here are created namespace-wide; find a way to limit this, given that each workspace

The idea here was to restrict the devworkspace SA to only have control over workspace-related objects (and avoid a potential -- but slight -- privilege escalation).

Should we still proceed with trying to do this? Currently, being able to start workspaces gives the user the privileges to CRUD devworkspaces and devworkspacetemplates, create permissions on pods/exec, and view permissions on all pods/deployments/replicasets/devworkspaceroutings in the devworkspace's namespace.

[amisevsk]

Completed as part of #954

[AObuchow]

@amisevsk since #954 resolved this, which was part of 0.18.x can I put this in the 0.18.0 milestone? I'm currently checking for closed issues with no milestones set to them, and this was one of them.

[amisevsk]

Good catch, added to 0.18 milestone