Detect permissions checked against the target user via a subject access review

[liggitt]

Needed to include synthetic resource permissions checked for by various admission plugins or kubelets

Requires audit log to capture content for SAR

Might need to special case PSP checks (or have a way to include/exclude SAR checks for specific resources)