Make it possible to authenticate a Bootstrap Token in different groups

[luxas]

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

It should be possible to set auth-groups or a similar key on a Bootstrap Token Secret to get the BootstrapTokenAuthenticator add those group(s) when authenticating.
This has many benefits, but primarily that it's possible to give different Bootstrap Tokens different identities.

For example, you may want to have one Bootstrap Token only for adding normal nodes to the cluster, but have some Bootstrap Tokens to be able to add masters to the cluster, etc.

This mechanism will also imply that the "default" BT (where auth-groups isn't set) has no specific privileges in the cluster. The sysadmin must explicitely assign the BT some groups in order give it privileges.

auth-groups takes a comma-separated list of groups to use for authentication. The group must have the system:bootstrappers: prefix so that it is easily distinguishable from other groups. (And to avoid having someone assigning its bootstrap token system:masters for instance)

This is part of getting Bootstrap Tokens to beta in v1.8

@kubernetes/sig-auth-feature-requests @kubernetes/sig-cluster-lifecycle-feature-requests

[luxas]

@mattmoyer will take ownership over implementing this 🎉

[ericchiang]

/assign @mattmoyer

[mattmoyer]

cc @mikedanese I think the spirit of this feature overlaps a bit with the improvements to the CSR verification improvements you mentioned today.