Add watch endpoint for tenancy.kiosk.sh

Currently the kiosk apiserver does not support Watch operations on spaces and accounts. The problem with this operation is that we would have to create a filtered view based on the requesting user and group memberships, which the current auth cache implementation not supports.

An obvious workaround for priviledged users currently is to watch the underlying resource (namespaces & accounts.config.kiosk.sh) and do the filtering themselves, however for unpriviledged users this is currently not possible. While I think the Watch operation is certainly necessary (at least for sake of completion), I'm not sure about the priority of it. Are there any tools that would need / require this?

Having kiosk apiserver not supporting Watch operations cause some big problems with argocd.
Argocd try to list (watch) the spaces and accounts resources but this take several seconds for a cluster with more than 200 namespaces. As kiosk doesn't respond in a small time, argocd try every second to list the kiosk resource so that the cpu used by kiosk increase a lot.