Eliminate the need for the IAM SA keys as Kubernetes secrets

[blueandgold]

It is a best practice not to use security key (whenever possible). But currently for Forseti on GKE, IAM service account key is obtained from GCP and added as a secret to kubernetes.

Per discussion with @kevensen, it is possible to create a dedicated Forseti nodepool in the cluster and bind the SA to the nodes, without using a key. i.e. "taint" these nodes as described above for the sole-use of Forseti.

[kevensen]

Ought to be fixed going in to beta

[blueandgold]

@kevensen Please see @morgante's idea to use Workload Identity to solve this issue.

https://github.com/forseti-security/terraform-google-forseti/issues/250