First draft of KEP-3169: Fine-grained SupplementalGroups control

This KEP roughly introduces belows in Kubernetes API:
- 'PodSecurityContext.SupplementalGroupsPolicy' to control which groups are attached to the container process, and
- 'ContainerStatus.User' so that user know which identities(uid, gid, supplemental groups) are ACTUALLY attached to the container process.
The corresponding changes are also proposed in CRI.

Co-authored-by: Sergey Kanzhelev <[email protected]>

Author: everpeace