fix(cli): improved support for native sidecar servers in linkerd authz (#14780)

(Extracted from #14566)

The logic behind the `linkerd authz` command wasn't accounting for ports
in init containers, so authorization policies pointing to those ports
were not reported by the command.

Say for example you had a strict auth policy for the `linkerd-admin`
port, allowing only access from prometheus. For emojivoto's web workload
you could set that up like this:

```yaml
apiVersion: policy.linkerd.io/v1beta3
kind: Server
metadata:
  annotations:
  name: admin
  namespace: emojivoto
spec:
  accessPolicy: deny
  podSelector:
    matchLabels:
      app: web-svc
  port: linkerd-admin
  proxyProtocol: HTTP/1
---
apiVersion: policy.linkerd.io/v1alpha1
kind: MeshTLSAuthentication
metadata:
  namespace: emojivoto
  name: prometheus
spec:
  identities:
  - "prometheus.linkerd-viz.serviceaccount.identity.linkerd.cluster.local"
---
apiVersion: policy.linkerd.io/v1alpha1
kind: AuthorizationPolicy
metadata:
  namespace: emojivoto
  name: web-http-sa
spec:
  targetRef:
    group: policy.linkerd.io
    kind: Server
    name: admin
  requiredAuthenticationRefs:
    - name: prometheus
      kind: MeshTLSAuthentication
      group: policy.linkerd.io
```

Invoking `linkerd authz` would return nothing, but after this change we
can see the auth:

```
$ linkerd authz -n emojivoto deploy/web
ROUTE   SERVER  AUTHORIZATION_POLICY   SERVER_AUTHORIZATION
*       admin   web-http-sa
```

Author: alpeb

pkg/k8s/policy.go

@@ -247,7 +247,7 @@ func serverIncludesPod(server serverv1beta3.Server, pods []corev1.Pod) bool {
 
 	for _, pod := range pods {
 		if selector.Matches(labels.Set(pod.Labels)) {
-			for _, container := range pod.Spec.Containers {
+			for _, container := range append(pod.Spec.InitContainers, pod.Spec.Containers...) {
 				for _, p := range container.Ports {
 					if server.Spec.Port.IntVal == p.ContainerPort || server.Spec.Port.StrVal == p.Name {
 						return true