Gardener Seed Admission Controller

[rfranzke]

What this PR does / why we need it:
This PR introduces a new component, the Gardener Seed admission controller. It is deployed by the Gardenlet as part of its seed bootstrapping phase and, consequently, running in every seed cluster. It's main purpose is to serve webhooks (validating or mutating) in order to admit or deny certain requests to the seed's API server.
Concretely, it prevents the undesired deletion of CustomResourceDefinitions labeled with gardener.cloud/deletion-protected=true, and most custom resources of the extensions.gardener.cloud/v1alpha1 API group if they were not previously annotated with confirmation.gardener.cloud/deletion=true.

Example logs:

$ kubectl -n shoot--foo--bar delete infra bar
Error from server: admission webhook "seed.admission.core.gardener.cloud" denied the request: must have a "confirmation.gardener.cloud/deletion" annotation to delete

Which issue(s) this PR fixes:
Fixes #2053

Special notes for your reviewer:
The PR is split in three commits: The first commit introduces the gardener-seed-admission-controller, the second commit enhances the gardenlet code to a) deploy it as part of the seed bootstrap, and b) confirm the deletion for the extension resources prior to sending DELETE calls. The third commit adds a script for local development that adds an image vector overwrite for the Gardener components in the charts/images.yaml.

PS: It might happen that, when you check out this PR and start the Gardenlet locally, the gardener-seed-admission-controller cannot be deployed in your seeds because of ImagePullBackOff. This is because the Gardener CI pipeline has not yet been adapted to automatically build an image for this new component. This can only happen after the PR is merged. You can use the image eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.2.0-dev for testing the admission controller.

Release note:

A new component has been introduced, the gardener-seed-admission-controller. It runs in every seed cluster and prevents the undesired deletion of `CustomResourceDefinitions` labeled with `gardener.cloud/deletion-protected=true`, and most custom resources of the `extensions.gardener.cloud/v1alpha1` API group if they were not previously annotated with `confirmation.gardener.cloud/deletion=true`.

[timebertt]

Thanks for the PR, Rafael!
Looks pretty good, though I have some comments here and there (mainly regarding the protected CRs/CRDs and the unit tests).
Also wanna give it a test in my local setup tomorrow, will come back with the results after that :)

[danielfoehrKn]

Looking good. Will run a more thorough test soon.

[timebertt]

Finished testing now, works completely fine for me.
I have only one more suggestion on how to handle the admission response.

[timebertt]

Sorry, found one more bug.

[rfranzke]

Wow, thanks for your thorough and intensive review @tim-ebert, kudos! I'm impressed! I hope I've addressed everything now - can you please check it again?

[timebertt]

You're welcome. Will take another look on Monday :)

[timebertt]

Thanks for addressing my comments.
I only have some smaller comments left now.

[timebertt]

Very nice, looks perfect now :)
Gave it a spin in my local setup again, runs as expected!

/approve

[rfranzke]

Let's wait with the merge of this PR until v1.2 has been cut.