[epic] Permission validation pre-flight check

[everettraven]

One #737 is implemented, it will be important to have a pre-flight check that is able to evaluate if the ServiceAccount provided in the ClusterExtension has sufficient permissions to stamp out the content for a bundle on the cluster. Having this pre-flight check would:

• Prevent partial installation/upgrade of bundles due to insufficient permissions on the provided ServiceAccount by failing fast before even attempting the installation/upgrade
• Provide a more user friendly error message as to the exact permissions that are missing to install/upgrade content. Without this pre-flight check the install will fail the first time it encounters a permission error. The pre-flight check will be able to identify a list of missing permissions and return that in a failing status message.

I have done some previous work related to this in Carvel's kapp project [1]. It can be used as an inspiration for our own implementation or pulled in as a library (with a lightweight abstraction on top to satisfy the Preflight interface introduced in #979).

References:

• 1: https://github.com/carvel-dev/kapp/tree/develop/pkg/kapp/permissions

Brief: https://docs.google.com/document/d/1fCkUaaXebfF1237iRrFC-F7HNNe7-TFeXpN0wSUdiXc/edit?usp=sharing
RFC: https://docs.google.com/document/d/1W7ThVE7yAd43IW1KETAB9x8pQqIRu7Dqs7jZi5QjQaM/edit?usp=sharing

[LalatenduMohanty]

This epic is a prerequisite for #919

[LalatenduMohanty]

The first step is to schedule a design meeting and then work on the brief for this epic.

[everettraven]

Prior-art that could help kickstart some conversation: #1282

[everettraven]

/assign @trgeiger

[openshift-ci]

@everettraven: GitHub didn't allow me to assign the following users: trgeiger.

Note that only operator-framework members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @trgeiger

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[bentito]

@trgeiger did you really want to tackle this one? otherwise I'm psyched to work on it. Might be able to split up the work too.

[trgeiger]

I'm happy to work together or help out, either way. I just wanted to dive head first into some of the upcoming work. I've got a brief and RFC started if you want to connect on that.

[bentito]

Cool, I'm adding to the Brief now