Roles are in need of annotations

[benjaminapetersen]

Per discussion w/@deads @enj @liggitt @jwforres
Re this PR in the web console and this Trello card.
Roles are in need of the following annotations:

authorization.openshift.io/infrastructure 
openshift.io/description
openshift.io/display-name

The filter we initially said was this:

      return _.filter(roles, function(item) {
        // image-puller & image-pusher ok, other system: no
        return (item.metadata.name === 'system:image-puller' ||
               item.metadata.name === 'system:image-pusher') ||
               ! _.contains(item.metadata.name, 'cluster-') &&
               ! _.contains(item.metadata.name, 'system:');
      });

and the roles that passed the test:

edit, registry-admin, registry-editor, system:image-pusher, self-access-reviewer, sudoer, system:image-puller, admin, registry-viewer, self-provisioner, basic-user, view

[benjaminapetersen]

Gonna keep the discussion about the annotation going here so those who don't want to get notified about the UI stuff can ignore.

@jwforres pointed out roles like image puller are infrastructure, but still need to be in our filtered list.

Brain dump of other possibilities:

authorization.openshift.io/user-friendly
authorization.openshift.io/primary
authorization.openshift.io/fundamental
authorization.openshift.io/end-user
authorization.openshift.io/end-usable
authorization.openshift.io/end-user-should-know-about-maybe
authorization.openshift.io/voodoo

I'm leaning towards something like user-friendly at this point, it seems to fit intention of the category we are trying to create. Its not a hard line, more of a helpful suggestion.

[benjaminapetersen]

Perhaps authorization.openshift.io/system-only (exclusive)

• new roles will show up automatically
• if a new role is created & the desire is to hide it, the annotation must be added.