harden the default RBAC discovery clusterrolebindings

[dekkagaijin]

Enhancement Description

• One-line enhancement description (can be used as a release note): Remove discovery from the set of APIs which allow for unauthenticated access by default, improving privacy for CRDs and the default security posture of default clusters in general.
• Primary contact (assignee): @dekkagaijin
• Responsible SIGs: sig-auth, sig-api-machinery
• Design proposal link (community repo): https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/0034-20190123-harden-default-discovery-bindings.md
• Link to e2e and/or unit tests: https://github.com/kubernetes/kubernetes/pull/73807/files#diff-10a6ed7aab30ba9661f23a9b9b542e38
• Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @liggitt, @deads2k
• Approver (likely from SIG/area to which enhancement belongs): @liggitt
• Enhancement target (which target equals to which milestone):
  • Alpha, Beta, Stable release target (1.14)

[dekkagaijin]

/sig auth

[liggitt]

dotting i's, crossing t's

[ameukam]

/kind feature

[spiffxp]

Adding tracked/yes label to reconcile against https://bit.ly/k8s114-enhancements
FYI @claurence @lachie83 @lledru @ameukam