controlplane: minimum version negotiation/consensus

[lorenz]

For updating cleanly we need a system which tracks the minimum version of either the entire control plane or certain control plane components.

For example for K8s 1.25+ we need to remove the builtin PSP RBAC policies as well as bindings. This should however only be done once all control plane nodes are updated to 1.25+. Afterwards we need to make sure that every new control plane role assignment is gated on the node having at minimum the given version.

A similar thing should probably be done for the worker nodes (but there it is much less critical).

/cc @q3k as you probably have opinions on this

[leoluk]

The immediate production need was addressed using Jan's new reconciler. Removing from milestone, CC @lorenz for the follow-up architecture.