Implement Secure Port Forwarding

[aojea]

This PR implements secure, bidirectional TCP port forwarding (tunneling) over WebSockets for Kubeflow Workspaces. This allows users to securely access workspace resources (like SSH or other container ports) without exposing raw ports over the internet.

• Expand the WorkspaceKindPort to allow to expose TCP ports in addition to the existing HTTP ones (port forwarding is only allowed on TCP types). This is required because for HTTP the controller creates an Istio VirtualService to route web traffic from the browser through the Istio Ingress Gateway directly to the container but it breaks TCP only traffic. Setting the Service to TCP allows to forward it.
• It proxies TCP traffic bidirectionally via a secure WebSocket connection using the workspaces-backend API service.
• Introduces a new, narrow connect verb on the workspaces Kubernetes resource. Access is strictly enforced at the API layer via Delegated SubjectAccessReviews (SAR).
• Enforces strict same-origin checking on the WebSocket handshake for browser-based clients, ensuring it is secure-by-default in production.
• The backend dynamically resolves and routes traffic to the workspace's underlying Kubernetes Service based on label selectors.

closes: #23

Human at the wheel, AI in the passenger seat

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kimwnasptd for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment