[WIP] [RHOAIENG-11010] Use a more secure role for KServe InferenceService access

[mturley]

Resolves https://issues.redhat.com/browse/RHOAIENG-11010

Description

See comments on Jira issue for implementation details. When setting up token auth for KServe models, instead of giving their ServiceAccounts a binding to the ClusterRole "view", we create a new role for them to get only InferenceServices in their own namespace. This PR also adds logic to replace the old rolebindings on users' clusters with the replaced more secure ones.

How Has This Been Tested?

WIP - need to test on a cluster, opening the PR to get an image

Test Impact

• New unit tests for new frontend utils for managing roles
• Updated tests for setUpTokenAuth to account for creating / not creating the new role
• Backend code unfortunately has no unit testing currently, only manual testing here.

Request review criteria:

Self checklist (all need to be checked):

• The developer has manually tested the changes and verified that the changes work
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

• Included any necessary screenshots or gifs if it was a UI change.
• Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

• The developer has tested their solution on a cluster by using the image produced by the PR to main

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from mturley. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: Patch coverage is 96.42857% with 1 line in your changes missing coverage. Please review.

Project coverage is 85.33%. Comparing base (f02500a) to head (d6ae4a3).
Report is 24 commits behind head on main.

Files with missing lines	Patch %	Lines
frontend/src/pages/modelServing/utils.ts	94.11%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3198      +/-   ##
==========================================
+ Coverage   85.26%   85.33%   +0.06%     
==========================================
  Files        1258     1271      +13     
  Lines       27689    27925     +236     
  Branches     7372     7428      +56     
==========================================
+ Hits        23609    23829     +220     
- Misses       4080     4096      +16     

Files with missing lines	Coverage Δ
frontend/src/api/k8s/roleBindings.ts	96.66% <100.00%> (ø)
frontend/src/api/k8s/roles.ts	100.00% <100.00%> (ø)
frontend/src/api/models/k8s.ts	100.00% <100.00%> (ø)
frontend/src/k8sTypes.ts	100.00% <ø> (ø)
...d/src/pages/modelServing/screens/projects/utils.ts	98.46% <ø> (ø)
frontend/src/pages/modelServing/utils.ts	93.37% <94.11%> (-0.01%)	⬇️

... and 50 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f02500a...d6ae4a3. Read the comment docs.

[lucferbux]

To add this role we need to add to the serviceaccount cluster role the following capability:

  - apiGroups:
      - serving.kserve.io
    resources:
      - inferenceservices
    verbs:
      - get
      - list
      - watch