kubectl: Add proxy --unix-socket=/file/path option

Proxies on a TCP port are accessible outside the current security
context (eg: uid). Add support for having the proxy listen on a
unix socket, which has permissions applied to it.

We make sure the socket starts its life only accessible by the
current user using Umask.

This is useful for applications like Cockpit and other tools which
want the help of kubectl to handle authentication, configuration and
transport security, but also want to not make that accessible to
all users on a multi-user system.

docs/man/man1/kubectl-proxy.1

@@ -52,7 +52,7 @@ The above lets you 'curl localhost:8001/custom/api/v1/pods'
 
 .PP
 \fB\-\-disable\-filter\fP=false
-    If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks.  Use with caution.
+    If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.
 
 .PP
 \fB\-h\fP, \fB\-\-help\fP=false
@@ -70,6 +70,10 @@ The above lets you 'curl localhost:8001/custom/api/v1/pods'
 \fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run"
     Regular expression for paths that the proxy should reject.
 
+.PP
+\fB\-u\fP, \fB\-\-unix\-socket\fP=""
+    Unix socket on which to run the proxy.
+
 .PP
 \fB\-w\fP, \fB\-\-www\fP=""
     Also serve static files from the given directory under the specified prefix.