Protect gitflow with RBAC

[davidnuzik]

Use RBAC to protect the job we run to execute gitflow on stacks (i.e. limit permissions accordingly).

For example, rio standeard rbac might be used

We also need to implement extra privilege api for the stack so that extra privileges can be given i.e. to run extra deployments

[StrongMonkey]

@izaac sync with me when you have a chance when you start testing this

[StrongMonkey]

@izaac You can use https://github.com/daxmc99/rio-demo/tree/track_gvk for testing.

Expected behavior:

In order to deploy Riofile that contains any k8s manifest from remote repository, User has to do:

1. If user has to create specific kubernetes manifest, user has to give extra permission to stack.
   This is done by rio up --permission
   For example, if user defines a stack that contains deployment, user has to give stack the permission to do CRUD deployment rio up --permission "* apps/v1"
2. User can't give permission which they don't have to stacks.

[izaac]

Tested the roles:

rio-admin
rio-cluster-admin
rio-privileged
rio-standard
rio-readonly

I've checked with the above example with admin and see if I was able to specify the permissions and if the objects were created successfully. Also checked the deployments/services weren't created for custom k8s objects specified in the Riofile if I don't set the permissions.

I also tested privilege escalation scenarios where I tried to apply permissions like update using rio-standard and the rio-privileged roles.

The rio-readonly role I wasn't even able to trigger a rio up because of lack of privileges to create stacks.

Test plan updated with the before mentioned scenarios.

rio v0.6.0-alpha.4