Update webhook to block escalate

Signed-off-by: Mikkel Oscar Lyderik Larsen <mikkel.larsen@zalando.de>

cluster/node-pools/master-default/userdata.clc.yaml

@@ -489,7 +489,7 @@ storage:
               - mountPath: /etc/kubernetes/ssl
                 name: ssl-certs-kubernetes
                 readOnly: true
-          - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.6
+          - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.7
             name: webhook
             ports:
             - containerPort: 8081

cluster/node-pools/master-ubuntu-default/userdata.yaml

@@ -226,7 +226,7 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
-        - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.6
+        - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.7
           name: webhook
           ports:
           - containerPort: 8081

test/e2e/authorisation_test.go

@@ -2156,6 +2156,34 @@ var _ = framework.KubeDescribe("Authorization tests", func() {
 				}}`,
 				},
 			},
+			{
+				msg: "cdp service account can't escalate permissions",
+				reqBody: `{
+					"apiVersion": "authorization.k8s.io/v1beta1",
+					"kind": "SubjectAccessReview",
+					"spec": {
+					"resourceAttributes": {
+						"namespace": "",
+						"verb": "escalate",
+						"group": "*",
+						"resource": "clusterroles"
+					},
+					"user": "system:serviceaccount:default:cdp",
+					"group": []
+					}
+				}`,
+				expect: expect{
+					status: http.StatusCreated,
+					body: `{
+					"apiVersion": "authorization.k8s.io/v1beta1",
+					"kind": "SubjectAccessReview",
+					"status": {
+						"denied": true,
+						"reason": "no one is allowed to escalate"
+					}
+				}}`,
+				},
+			},
 			{
 				msg: "operator service account cannot create namespaces",
 				reqBody: `{