Implement privilege elevation flag

[mikeshootzz]

What problem are you facing?

Currently, there's no way to run crossplane CLI commands as a different user or service account. kubectl has --as and --as-group for this, but the crossplane CLI doesn't have anything equivalent.

This comes up when:

• You want to check if a specific user can actually see or access a resource (e.g. with resource trace) without switching your whole kubeconfig context
• You're debugging access issues for another user and want to see what they see
• You're running in CI as a privileged service account but need to validate things from the perspective of a less-privileged one
• You're working in a multi-tenant cluster and want to confirm resources are scoped correctly for a given tenant

How could Crossplane help solve your problem?

Add --as, --as-group, and optionally --as-uid flags to the CLI commands that talk to the cluster.

A few thoughts on how this could work:

• Which commands: resource trace, cluster top, version, xpkg install, xpkg update, and the completion helpers all create a Kubernetes client, so they'd all benefit from these flags.
• Shared definition: Rather than duplicating the flags in every command, it'd be nice to define them once in a shared struct and mix them in where needed.
• Match kubectl: The flag names and behavior should match what kubectl does so there's nothing new to learn.

Example usage:

# Trace a resource as a specific user
crossplane resource trace compositeresource.example.org my-resource --as=jane@example.com

# Check cluster top as a service account
crossplane cluster top --as=system:serviceaccount:team-a:reader

# Install a package impersonating a group
crossplane xpkg install provider example/provider-foo --as-group=team-a-admins