Put TenantControlPlane in Read-Only mode

[prometherion]

At the current state (v0.4.1) the R/O mode is put in place only upon a specific circumstance such as the migration of the TCP to a different Datastore.

There could be use cases where the TCP should be put in R/O mode for several reasons and domain logic which are not scoped to Kamaji itself.

To avoid bumping up the TenantControlPlane API type we could introduce a knob as a new specification field, such as spec.readOnlyMode with a false default. All the write actions on all the objects must be blocked, except for the Lease ones which would cause, otherwise, a cascading failure of operators, and the kubelet nodes. Furthermore, all the write actions performed by ServiceAccount in the kube-system should be allowed, although the R/O mode, to keep pods up and running despite the failures.

[bsctl]

@prometherion it makes sense
+1