Provide better feedback for missing child namespace

[enisoc]

A user on Slack received a cryptic error while trying to create namespaced objects (Secret.v1) as children of a cluster-scoped parent object (Namespace.v1):

controller.go:245] failed to sync namespace-managed "v1:Namespace::default": can't reconcile children for Namespace /default: the server does not allow this method on the requested resource

The problem ended up being that they left the metadata.namespace field of the Secret empty. Although we allow that field to be empty for namespaced children of namespaced parents (because we can assume the child must be in the same namespace as the parent), it is an error to leave it empty for a namespaced child of a cluster-scoped parent (because we can't deduce the namespace).

We should do a better job of detecting this problem, and giving good feedback to tell the user what they need to fix. For example, we know from discovery info which resources are namespaced. We should have seen that Secret is namespaced, and returned a specific error message to the effect of, "Secret is a namespaced resource, but the desired child has an empty metadata.namespace. Namespaced children of cluster-scoped parents must always specify a non-empty metadata.namespace."