[RHOAIENG-11010] Use a more secure role for KServe InferenceService access

[mturley]

Resolves https://issues.redhat.com/browse/RHOAIENG-11010

Description

See comments on Jira issue for implementation details. When setting up token auth for KServe models, instead of giving their ServiceAccounts a binding to the ClusterRole "view", we create a new role for them to get only InferenceServices in their own namespace. This PR also adds logic to replace the old rolebindings on users' clusters with the replaced more secure ones.

How Has This Been Tested?

Tested by @lucferbux, steps outlined in this doc

Test Impact

• New unit tests for new frontend utils for managing roles
• Updated tests for setUpTokenAuth to account for creating / not creating the new role
• Backend code unfortunately has no unit testing currently, only manual testing here.

Request review criteria:

Self checklist (all need to be checked):

• The developer has manually tested the changes and verified that the changes work
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has added tests or explained why testing cannot be added (unit or cypress tests for related changes)

If you have UI changes:

• Included any necessary screenshots or gifs if it was a UI change.
• Included tags to the UX team if it was a UI/UX change.

After the PR is posted & before it merges:

• The developer has tested their solution on a cluster by using the image produced by the PR to main

[codecov]

Codecov Report

Attention: Patch coverage is 96.42857% with 1 line in your changes missing coverage. Please review.

Project coverage is 84.87%. Comparing base (47aabd3) to head (a122ad0).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
frontend/src/pages/modelServing/utils.ts	94.11%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3198      +/-   ##
==========================================
+ Coverage   84.84%   84.87%   +0.02%     
==========================================
  Files        1299     1300       +1     
  Lines       28920    28945      +25     
  Branches     7771     7777       +6     
==========================================
+ Hits        24538    24567      +29     
+ Misses       4382     4378       -4     

Files with missing lines	Coverage Δ
frontend/src/api/k8s/roleBindings.ts	96.66% <100.00%> (ø)
frontend/src/api/k8s/roles.ts	100.00% <100.00%> (ø)
frontend/src/api/models/k8s.ts	100.00% <100.00%> (ø)
frontend/src/k8sTypes.ts	100.00% <ø> (ø)
...d/src/pages/modelServing/screens/projects/utils.ts	96.84% <ø> (ø)
frontend/src/pages/modelServing/utils.ts	93.37% <94.11%> (-0.01%)	⬇️

... and 4 files with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 47aabd3...a122ad0. Read the comment docs.

[lucferbux]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lucferbux

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [lucferbux]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment