WIP: update KAS bootstrapping to get RBR from CAO

[everettraven]

What this PR does / why we need it:

• Updates the Kubernetes API server bootstrapping logic to get the RoleBindingRestriction CRD from the cluster-authentication-operator's manifest renderer if OAuth is enabled. This is needed so that the Kubernetes API server can start up successfully when the RoleBindingRestriction CRD is no longer included in the openshift/api generated payload manifests. See CNTRLPLANE-72: remove RoleBindingRestriction CRD from payload api#2138
• Disables the authorization.openshift.io/RestrictSubjectBindings and authorization.openshift.io/ValidateRoleBindingRestrictions admission plugins on the Kubernetes API server if the OAuth is not enabled. This was proposed in (oidc): add considerations for impacted kube-apiserver admission plugins enhancements#1726

Which issue(s) this PR fixes (optional, use fixes #<issue_number>(, fixes #<issue_number>, ...) format, where issue_number might be a GitHub issue, or a Jira story:
Fixes #

Checklist

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everettraven
Once this PR has been reviewed and has the lgtm label, please assign davidvossel for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cwbotbot]

Test Results

e2e-aws

• Status: ❌ FAIL
• Started: 2025-05-09T17:37:34Z
• View Job
• View Job History

Failed Tests

Total failed tests: 23

• TestAutoscaling
• TestAutoscaling/ValidateHostedCluster
• TestCreateCluster
• TestCreateCluster/ValidateHostedCluster
• TestCreateClusterCustomConfig

... and 18 more failed tests

e2e-aks

• Status: ❌ FAIL
• Started: 2025-05-09T17:37:31Z
• View Job
• View Job History

Failed Tests

Total failed tests: 9

• TestAzureScheduler
• TestAzureScheduler/ValidateHostedCluster
• TestCreateCluster
• TestCreateCluster/ValidateHostedCluster
• TestNodePool

... and 4 more failed tests

[openshift-ci]

@everettraven: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-kubevirt-aws-ovn-reduced	4e72b89	link	true	/test e2e-kubevirt-aws-ovn-reduced
ci/prow/e2e-aks	4e72b89	link	true	/test e2e-aks
ci/prow/e2e-aws	4e72b89	link	true	/test e2e-aws
ci/prow/e2e-aws-upgrade-hypershift-operator	4e72b89	link	true	/test e2e-aws-upgrade-hypershift-operator
ci/prow/unit	4e72b89	link	true	/test unit

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.