suggestion: explain authorization chain

[pires]

This is something that I spent some time trying to understand, and I think it can help others, particularly people who are implementing an authorizer, either as part of their custom API server or as a Webhook of kube-apiserver.

Basically, what was a surprise to me is that there's an extra state other than the boolean-style Allow/Deny, namely NoOpinion.
And this is very important to understand that other than AlwaysAllow authorizer, (I believe) all other authorizers, including Node and RBAC emit NoOpinion by default - well, there's no way to model Deny in RBAC, is there? -. And so should a Webhook, as a best-practice, I think.
Last but not least, it should be noted that if all authorizers emit NoOpinion, the API server will deny the request. I'm sure this is obvious to the authors, but this is implemented as part of the apiserver Go library.