Implement a MutatingAdmissionWebhook to apply relocation mappings to pods

[glyn]

This was suggested in discussions with the kubernetes community as a way of applying a relocation mapping to image references used to create containers. The webhook would need to mutate pods to replace image references with their relocated counterparts.

The relocation mapping state of the webhook should be managed by a controller which would monitor resources describing partial relocation mappings.

[glyn]

TODO (possibly in later issues):

• Use Conditions rather than an error string
• Clear the error condition when an imagemap later successfully applies
• Handle missed deletes
• Delay the controller pod status from becoming ready until resync is complete - deferred to Consider delaying controller pod status from becoming ready until resync is complete #5
• Add ClusterImageMap for mappings that need to be applied to all namespaces - deferred to Support ClusterImageMaps #4
• Add the webhook (see spike MutatingAdmissionWebhook for relocating image references image-relocation#37)

[glyn]

Improvements from @roycaihw's excellent KubeCon presentation on admission webhooks:

• avoid mutating pods in kube-system namespace

• (for kubernetes v1.15+) configure reinvocationPolicy: IfNeeded to ensure mutations by other webhooks are processed (e.g. if a sidecar pod is injected, need to relocate the image)

• (for kubernetes v1.15+) consider configuring matchPolicy: Equivalent to ensure all versions of a pod spec are processed.

[glyn]

See #20