Add NodeRestriction flag

[yuvalavra]

NodeRestriction prevents nodes from abusing certain powerful permissions even if they're granted to them via RBAC. rbac-police should take that into account, possible implementation:

• Add --node-restriction flag to eval to indicate the cluster uses NodeRestriction, and expose its value to Rego policies. Default value should probably befalse for now.
• Add preventedByNodeRestriction variable to policies if NodeRestriction stops the attack they detect.
• Modify the Rego wrapper to drop node violation when the policy has preventedByNodeRestriction and given --node-restriction is enabled.
• Combined violations in steal_pods.rego would need to be refactored (and would probably be a bit ugly)

[yuvalavra]

NodeRestriction1.10:

• delete pods (Evict Pods)
• create pods/eviction (Evict Pods)
• modify pods (Evict Pods, RCE, MiTM)
• delete nodes (Evict Pods)
• modify nodes (Evict Pods, Unschedulable)
• modify nodes/status (un-schedulable)
• create serviceacccounts/token (Tokens)
• create pods (Tokens)
• create pods/exec (RCE)
• modify pods/ephemeralcontainers (RCE)
• create nodes/proxy (RCE)

NodeRestriction1.17:

• modify pods/status (Evict Pods, MiTM)

[yuvalavra]

Fixed in #7