Implement mechanism to tie custom resources to coldfront allocations

[larsks]

In #756, we need to create a custom ClusterRoleBinding to grant Jason Schlessman read access to Node resources. The way things work now, this custom resource will hang around even after Jason's access to the production cluster has expired.

While most custom rbac we add to the cluster is confined within the project namespace (which means it will be cleaned up if/when the project is deleted), we ought to have a way of attaching cluster-scoped resources to coldfront allocations so that when a project expires, all the associated resources get cleaned up.

[larsks]

@joachimweyl this is the issue re: tracking cluster-wide resources associated with projects.

[larsks]

@jtriley suggests that simply labelling this resources would be a reasonable starting point. How are coldfront projects identified? I see that our project namespaces have a cf_project_id attribute; should we use that? Or should we use the namespace name (like nextgen-justice-4d21a9).