Add Gateway API RBAC for skew protection

[marcopiraccini]

Summary

• Adds Gateway API permissions to the plt-pod-manager ClusterRole so Machinist can manage HTTPRoute resources
  for version-aware routing (skew protection)
• Grants httproutes full CRUD (get, list, create, update, patch, delete) and gateways read-only (get, list)
  under gateway.networking.k8s.io
• Documents the Gateway API requirement in README.md, including opt-in behavior and controller compatibility

Details

Skew protection routes requests to specific application versions using the Kubernetes Gateway API. ICC manages
HTTPRoute resources via Machinist to implement cookie-based session-to-version affinity. Machinist's service
account needs RBAC permissions for these Gateway API resources.

These RBAC rules are safe to deploy even without Gateway API CRDs installed — Kubernetes silently ignores RBAC
rules for unknown API groups. Skew protection is opt-in; when disabled, no Gateway API resources are created.

The rules match what is already defined in machinist/infra/machinist.yaml for local development.

[leorossi]

LGTM