Validate ServerRef via Admission Webhook

[debuggerchen]

It seems that the S3Buckets/User/Policy can reference S3Server in any namespaces, which probably enables namespace-scoped users to use S3 storage outside their authorized namespaces. Perhaps an admission webhook would help check whether the user has permission of the referenced S3 server.

[nicolaiort]

Thank you for the suggestion, sounds like a good idea.
If you want to/are able to implement this i'd be happy to accept a PR - otherwise I'll add it to the "TODO" list and implement it whenever I have time.

A small addition: It should be implemented in a way that makes the "allow cross namespace" toggleable via a flag or env. In some of the clusters I deployed this to, the cross namespace reference is a feature by design to allow shared access to shared S3 servers.