implement better service account

[williamstein]

Right now we suggest this in the README.md:

kubectl create rolebinding cocalc-kubernetes-server-binding --clusterrole=admin --serviceaccount=default:cocalc-kubernetes-server

However:

• The account doesn't need admin for the entire namespace, but we should do something more precise.
• In some cases (e.g., Docker for Windows + Kubernetes) --role=admin instead of --clusterrole=admin will work, and in others (e.g., GKE) it won't work at all and Kubernetes just says there is no admin role.

Somebody who is a Kubernetes RBAC security expert could do a better job and better lock down the cocalc-kubernetes server (so if it were compromised, then it can't do as much further damage to the whole Kubernetes cluster).