Restrict CloudDeploy SA of application to be able to deploy only to the application's namespace

[gushob21]

As of now, each application when created gets a Cloud Deploy service account that does the app deployment on the GKE cluster. This SA gets container.developer role so it can technically deploy to any namespace in the cluster, which is a security risk.
We should follow a principle least privilege and implement RBAC based SA so that they can only deploy to a given name space on the cluster.
An example on how to do this is https://cloud.google.com/deploy/docs/securing/sa-by-namespace

[gushob21]

This is taken care of in the new version on the branch private_gke_gh_multiproject_blueprint. Other branch with GKE(main) will be updated when needed.