Add e2e coverage of apiserver policy functionality

[joestringer]

• Policy match allows traffic from/towards apiserver when deployed within the cluster (eg kind): Add basic kube-apiserver policy matching e2e test  #18333
• Policy match allows traffic from/towards apiserver when deployed outside the cluster (eg managed k8s): Add basic kube-apiserver policy matching e2e test  #18333
• When new apiserver service endpoints are added, the same policy now allows the traffic.
• When an existing apiserver service endpoint is removed, the same policy now disallows the traffic.
• If you add two identical apiserver policies and then remove one, connectivity still works: Fix kube-apiserver policy matching feature with tunneling enabled #18527
• No impact on connectivity during upgrade
• Send traffic from the apiserver node towards a pod on another node and make sure it matches the policy we expect.

[joestringer]

Chris and I reviewed this list, we came to these conclusions:

• The tests we have already introduced will highlight obvious regressions in the feature
• There is a clear path to improve some of the existing unit testing around multiple policies, we can likely achieve that in the short term.
• Several of these e2e coverage items would be harder to implement as the existing unit test infrastructure doesn't provide a good way to cover it; furthermore e.g. testing apiserver failover is difficult with today's ginkgo-based infrastructure.
• We can mitigate the risks of bugs or regressions in this area by improving the debuggability - @christarazi to file an issue on that.
• We'll defer the rest for now, we can always improve the coverage later on.

[christarazi]

Re: #17829 (comment), #18529. Unassigning for now.