Don't enforce standard k8s and ssh auth mechanisms when joining sessions

[xacrimon]

We currently enforce standard SSH and K8S auth mechanisms to determine resource access in addition to the Moderated Sessions join check, we shouldn't do this since it prevents configuring the ability to join sessions without the ability to start them.

Notable changes:

• Use the new SessionTracker system for SSH session discovery on the tsh side, move to phase out the session service and the semi-hacky metadata keys.
• Get initial terminal size for joining a session from an SSH request rather than fetching a backend key that is constantly updated with the size, this was needed to start phasing out the old metadata system since we don't constantly update the new tracker system with such changing metadata.
• Introduce a special SSH principal which does not abide by node access RBAC checks, this is restricted to joining sessions only at which point moderated sessions RBAC logic is applied.
• Remove cluster access checks when joining a kubernetes session.
• Apply RFD 45 RBAC deny rules to the new moderated sessions metadata system to keep compatibility.

This is well covered by existing tests, relevant tests have been adjusted.

[zmb3]

Looks okay to me other than the minor suggestions here, but I am not super familiar with this code.

[russjones]

@xacrimon Can you add test coverage to this PR?

[r0mant]

@xacrimon Just checking, are we going to close this one and go with a different approach?

[xacrimon]

@r0mant We're not, we decided to go with this approach in #11223. I will be updating this PR soon.

[xacrimon]

@r0mant Can you take another look at this PR please since you left a request-changes status last?

[xacrimon]

friendly ping: @r0mant