Automatic merge from submit-queue (batch tested with PRs 40574, 40806, 40308, 40771, 39440)

Add bootstrap cluster role for external pv provisioners

The set of permissions an external provisioner kubernetes/kubernetes#30285 running as a pod will need. Technically in order to dynamically provision PVs one doesn't need to "update" PVCs or "watch" events but the controller https://github.com/kubernetes-incubator/nfs-provisioner/tree/master/controller we are recommending people use does those things to: set lock annotations on PVCs and watch `ProvisioningSucceeded`/`ProvisioningFailed` events.

Some external provisioners may need additional permissions, for example nfs-provisioner requires "get" access to Services and Endpoints when run "statefully." I think in that case we would recommend creating a new ClusterRole specific to that provisioner, using this as a base?

(This was to be a part of my redo/fix of the external e2e test kubernetes/kubernetes#39545 but I'm submitting it as a separate PR for now due to some issues I had with running nfs-provisioner on gce.)

@kubernetes/sig-auth-misc ?