reconcile cluster roles instead of overwriting

[deads2k]

fixes #15648

Moving to post-start hooks introduced a policy creation race. This pull fixes the race by unconditionally reconciling like we will in 3.7 when we switch to RBAC. I also made the reconcile cluster roles respect the annotation we use to protect the resources from reconciliation.

@openshift/security fyi

[enj]

/lgtm

[openshift-merge-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, enj

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/cmd/OWNERS [deads2k]
• pkg/diagnostics/OWNERS [deads2k]
• pkg/oc/OWNERS [deads2k]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[deads2k]

failure is real

[deads2k]

@enj added a new commit if you want a second look. namespaced roles in our openshift namespace. Falls out like the other namespaced ones in the RBAC refactor.

[enj]

@enj added a new commit if you want a second look. namespaced roles in our openshift namespace. Falls out like the other namespaced ones in the RBAC refactor

LGTM

[deads2k]

/test end_to_end

[deads2k]

/retest

[deads2k]

yum problem
/test end_to_end

[deads2k]

#8571
/test end_to_end

[deads2k]

/retest

[deads2k]

/test extended_conformance_install_update

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[0xmichalis]

/test extended_conformance_install_update

[0xmichalis]

/retest

[0xmichalis]

/retest

[openshift-merge-robot]

Automatic merge from submit-queue