Support for cluster scoped parent resources

This CL adds initial support for clustered parents the decorator
controller. The composite controller will work as long as you're not
using rolling updates.

This CL changes the behavior of the client map which is sent as
`attachments` or `children` in the DecoratorController and
CompositeController, respectively. The new keys can be thought of as a
relative path to the child. When both the parent and child are at the
same scope - either both namespaced or both clustered - the key is just
the child's name. When the parent is clustered and the child is
namespaced the relative are relative - the children's keys will always
be prefaced with the namespace - this is to disambiguate between two
children with the same name in different namespaces.

To test this change this CL also adds two examples. The first example is
of a decorator controller that creates a "reader" ClusterRole, similar
to the default roles and rolebindings for each CRD with the
`enable-default-roles` annotation.

The second is a decorator controller which creates role bindings in the
default namespace that bind the default service account to clusterrolebindings.

Closes GoogleCloudPlatform#2