Add support for the escalate RBAC verb

[raesene]

What would you like to be added

At the moment the escalate verb which is available on Kubernetes cluster roles does not appear to be supported

kubectl-who-can escalate clusterroles
Error: resolving resource: the "clusterroles" resource does not support the "escalate" verb, only [create delete deletecollection get list patch update watch]

It would be good if escalate was factored into the tool. There's probably two ways that it might make sense to include this. the first would be the ability for the command above to return principals which have access to escalate. The second way (which would be trickier to implement) would be to show principals which have access to escalate on clusterroles as having all other rights.

Why is this needed

The escalate right essentially allows for principals which have access to it to gain cluster admin rights at any time they want. As mentioned in the documentation having access to escalate allows a principal to edit a cluster role (or role) to grant permissions the user did not previously have.

In a standard kubeadm cluster, there is a service account which has this right, the clusterrole-aggregation-controller. There's a blog here that shows how someone with that account's service account token can escalate to cluster-admin.