Validate RoleTemplate as non-namespaced

[tomleb]

Issue

This should fix the integration tests in rancher/rancher issue that was introduced in #328 (see also rancher/rancher#40584) which results in the following tests to fail:

test_default_roles.py::test_cluster_create_role_locked
test_default_roles.py::test_project_create_default_role
test_default_roles.py::test_project_create_role_locked
test_default_roles.py::test_user_create_default_role

The error looks like the following:

"rancher.cattle.io.roletemplates.management.cattle.io" denied the request: roletemplate.rules[8].nonResourceURLs: Invalid value: []string{"*"}: namespaced rules cannot apply to non-resource URLs\n\t{\'baseType\': \'error\', \'code\': \'BadRequest\', \'message\': \'admission webhook "rancher.cattle.io.roletemplates.management.cattle.io" denied the request: roletemplate.rules[8].nonResourceURLs: Invalid value: []string{"*"}: namespaced rules cannot apply to non-resource URLs\', \'status\': 400, \'type\': \'error\'}')

The issue is that namespaced resources cannot have nonResourceURLs in them. The true here is passed down to the upstream k8s validation function, which sees the nonResourceURLs in the cluster-owner RoleTemplate.

The fix simply uses the rules from non-namespaced resources, which skips the check for nonResourceURLs. Note this is not perfectly 1:1 with k8s but it's still more checks than we had previously.

@andreas-kupries As mentioned in Slack, feel free to take this as inspiration for a fix, or review it as is. Leaving as draft for now.

[andreas-kupries]

Looking over it, and reading the explanations, this looks like a good fix to me.
And apologies for missing this namespace vs not when writing the original PR.

Checked and confirmed for myself that RoleTemplates are not namespaced.
Cross-checking GlobalRoles are also not namespaced and their calls to ValidateRules are very much 🆗 , using false outright.

This confirms to me that the change to use false is the correct fix.
✔️ make test passes.