What would you like to be added:
Don't use kubeconfig directly, prefered to use jwt token as the first choice, if not fallback to kubeconfig.

Why is this needed:
Security is an important topic for karmada dashboard development, since some security problems have been submited, we should pay more attention to security. Currently, karmada dashboard relies on kubeconfig file including karmada-api context and karmada-host context to take control of apisever including karmada apiserver and kubernetes apiserver, but we found that it's not necessary to use kubeconfig directly from early bi-weekly meetiing discussion. So we decided to minibase the permission requirements, but make sure karmada dasbboard still works.