Add `accessPolicy` field to Server CRD

[alpeb]

Followup to #12844

This new field defines the default policy for Servers, i.e. if a request doesn't match the policy associated to a Server then this policy applies. The values are the same as for proxy.defaultInboundPolicy and the config.linkerd.io/default-inbound-policy annotation (all-unauthenticated, all-authenticated, cluster-authenticated, cluster-unauthenticated, deny), plus a new value "audit". The default is "deny", thus remaining backwards-compatible.

This field is also exposed as an additional printer column.

[alpeb]

Thanks Matei, let me summarize what we discussed off-github:

• Source cluster with newer CRD, target cluster with old CRD: it breaks! This is the output from the destination controller:

  level=error msg="Error adding cluster target to store: server CRD (policy.linkerd.io/v1beta3) not found" component=cluster-store

  The target doesn't know that version exists, so it returns an error.

• Source cluster with old CRD, target cluster with new CRD: it works as per my testing. We're still serving both versions and we're using the default "None" conversion strategy, which means that the Server is returned as its stored schema (v1beta3) with only the apiVersion field accommodating to the requested one (v1beta2). I did some client-go scavenging and confirmed the serializer built in server_client.go creates a CodecFactory leaving the default CodecFactoryOptions.Strict: false, so the decoder doesn't complain if there's an unrecognized field.

The first problem disappears as soon as we upgrade the CRDs on the target cluster and restart the destination controller. So something folks need to have clear when upgrading multicluster.