Implement a MutatingAdmissionWebhook to apply relocation mappings to pods

[glyn]

This was suggested in discussions with the kubernetes community as a way of applying a relocation mapping to image references used to create containers. The webhook would need to mutate pods to replace image references with their relocated counterparts.

The relocation mapping state of the webhook should be managed by a controller which would monitor resources describing partial relocation mappings.

[glyn]

TODO (possibly in later issues):

• [x] Use Conditions rather than an error string
• [x] Clear the error condition when an imagemap later successfully applies
• [x] Handle missed deletes
• [X] Delay the controller pod status from becoming ready until resync is complete - deferred to https://github.com/pivotal/kubernetes-image-mapper/issues/5
• [X] Add ClusterImageMap for mappings that need to be applied to all namespaces - deferred to https://github.com/pivotal/kubernetes-image-mapper/issues/4
• [x] Add the webhook (see spike https://github.com/pivotal/image-relocation/pull/37)

[glyn]

Improvements from @roycaihw's excellent KubeCon presentation on admission webhooks:

• [x] avoid mutating pods in kube-system namespace

• [ ] (for kubernetes v1.15+) configure reinvocationPolicy: IfNeeded to ensure mutations by other webhooks are processed (e.g. if a sidecar pod is injected, need to relocate the image)

• [ ] (for kubernetes v1.15+) consider configuring matchPolicy: Equivalent to ensure all versions of a pod spec are processed.

[glyn]

See https://github.com/pivotal/kubernetes-image-mapper/pull/20