78a205259d
Addresses review: a policy's directory should be the base of the paths it
grants, so a code owner of one policy path cannot grant themselves access
elsewhere (e.g. sys or approle).
- policies/rancher/admin.yaml now grants only rancher/{config,service-accounts,
roles}.
- Move the sudo-protected plugin-catalog grant to
policies/sys/plugins/catalog/rancher.yaml (base path sys/plugins/catalog/),
owned by a sys code owner.