feat: align with upstream apiserver controllers

[zachsmith1]

• Align multicluster auth semantics with upstream per-control-plane behavior by fixing TokenReview/SAR isolation and removing root-cluster fallback gaps for non-root requests.
• Harden bootstrap parity by ensuring non-root control planes get idempotent system namespaces, RBAC defaults, ServiceCIDR, kubernetes service reconciliation, and key internal controllers without disrupting root upstream hooks.
• Improve runtime correctness and stability by fixing informer startup/order issues and a delete-path panic in mutating webhook reinvocation that caused HTTP/2 internal errors in smoke coverage.
• Clarify and simplify operator configuration by documenting and defaulting topology flags toward per-cluster-safe behavior while preserving explicit shared-mode overrides.
• Increase test reliability and confidence with etcd-isolated smoke runs, race-resistant bootstrap waits, targeted regression tests, and full-suite validation against a live etcd instance.