Make RBAC usage optional for use with extension API server

[c0d1ngm0nk3y]

Description

Korifi levereges RBAC to implement authorization (e. what apps are visible to a certain user). Since Korifi is currently interacting directly with RoleBinding this is currently fix.

If would be great to give the option to install Korifi without the use of RBAC. The authorization would not work out of the box, but has to be provided differently, similar to extenting Korifi via AppWorkload or BuildWorkload.

The use case I have in mind is an extension API server. If someone implements an extension API server, it could also do the permission check and therefor the RBAC overhead would not be needed.

This touches a few things:

• Introduction of a CFRole to allow the extension server to get all permissions. So not creating RoleBindings directly
• space_filtering_client will not be used for any repository. Rather than checking all namespaces, korifi could jetzt request everything from the API server and the extension API server will only return the objects the user has permissions
• The logic to check if the current user is a cf_user would probably be different.

[c0d1ngm0nk3y]

Now with the space_filtering_client that should even be more straight forward since already all object are selected and the label selector ensures to select only the one with access to. We sould without RBAC just skip the label selector since the calculation on the label could get expensive for many spaces and users.

[c0d1ngm0nk3y]

@cloudfoundry/wg-cf-on-k8s-korifi-approvers Would you take contributions towards this epic?