run calico-policy-controller with proper sa/role/rolebinding

roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml

@@ -0,0 +1,16 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+    verbs:
+      - watch
+      - list

roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-policy-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-policy-controller
+subjects:
+- kind: ServiceAccount
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}

roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-policy-controller
+  namespace: {{ system_namespace }}
+  labels:
+    kubernetes.io/cluster-service: "true"

roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2

@@ -60,3 +60,6 @@ spec:
       - hostPath:
           path: {{ calico_cert_dir }}
         name: etcd-certs
+{% if rbac_enabled %}
+      serviceAccountName: calico-policy-controller
+{% endif %}