Configure application users in Kubernetes

Kubernetes has deep support for RBAC starting with 1.7. Application users should be managed with x.509 certificates.

Needs discussion on what permissions users should have on the cluster. Since it'll be friendlies like Tim to start, I'm thinking User-facing roles admin on staging and prod, so anyone can develop and deploy anything, even things they didn't deploy, and to create things like serviceaccounts. Also probably view on all namespaces (because why not), and most verbs (get, list, create, update, patch, watch, delete) for ServiceMonitor on monitoring.

Can be considered done when there is one reasonable application user who is non-admin on the cluster.