[stub] make defensive changes to pinniped CLI to handle clock skew

[enj]

As a defensive change to handle https://github.com/kubernetes/kubernetes/pull/106768 I propose that the pinniped CLI:

1. Not send expirationTimestamp to client-go/kubectl - maybe allow this to be opt-ed into? - or a better approach may be to make sure expirationTimestamp is >= to time.Now() + 10*time.Second
2. Cache credentials until expirationTimestamp or time.Now() + 10*time.Second, whichever is later
3. (not the CLI) add a controller that detects clock skew and emits warning logs / status updates?
4. We also need to fix the issue upstream which might require invasive changes and difficult to write tests