Apply ClusterRoleBinding to dnsmaq when rbac_enabled (#1592)

* Add RBAC policies to dnsmasq

* fix merge conflict

* yamllint

* use .j2 extension for dnsmasq autoscaler

roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2

@@ -31,6 +31,9 @@ spec:
         scheduler.alpha.kubernetes.io/critical-pod: ''
         scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
     spec:
+{% if rbac_enabled %}
+      serviceAccountName: dnsmasq
+{% endif %}
       tolerations:
         - effect: NoSchedule
           operator: Exists

roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml

@@ -0,0 +1,14 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: dnsmasq
+  namespace: "{{ system_namespace }}"
+subjects:
+  - kind: ServiceAccount
+    name: dnsmasq
+    namespace: "{{ system_namespace}}"
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

roles/dnsmasq/templates/dnsmasq-deploy.yml

@@ -57,7 +57,6 @@ spec:
               mountPath: /etc/dnsmasq.d
             - name: etcdnsmasqdavailable
               mountPath: /etc/dnsmasq.d-available
-
       volumes:
         - name: etcdnsmasqd
           hostPath:

roles/dnsmasq/templates/dnsmasq-serviceaccount.yml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dnsmasq
+  namespace: "{{ system_namespace }}"
+  labels:
+    kubernetes.io/cluster-service: "true"