Multi-tenancy, part 2: Authorization using Kubernetes RBAC

[soamvasani]

We have multiple-namespace support for Fission since 0.8.0; however, our API does not have support for authorization.

Most of our server-side microservices talk directly to the K8s API. There's no longer a need for most of the Fission API. We can remove the resource CRUD parts of our API; then the CLI can access the K8s API directly, so that the usual K8s RBAC rules restrict CLI users as well.

Changes needed:

1. [ ] Modify CLI to talk to Kubernetes API directly. Give users good error messages when authz fails.
2. [ ] Deprecate CRUD API for Fission CRDs. No code change; just a decision to remove APIs in a future release.
3. [ ] Remove CRUD API for Fission CRDs. On access these APIs should return a friendly error message asking users to upgrade their CLI.

Non-goal for this issue: adding authorization to our other APIs. We'll track that in a separate issue.

[soamvasani]

We'll also have to add server-side CRD validation.

[sanketsudake]

@neha-Gupta1 please review this as per latest changes and close as appropriate.

[neha-Gupta1]

Since all CRUD API for Fission CRDs are called from CLI, we have stopped calling those APIs (i.e. controller APIs) from CLI and have made direct calls to API server. Controller is disabled by default. So any API call to controller API will give a 404. We have added a flag is helm charts controller.enabled (which is by default set to false) through which users can still use old controller APIs. Detailed information about the flag will be added to release notes with the deprecation note. Also, server side validations have been added through admission controller server.