calico: update calico-kube-controller manifest (#12481)

Co-authored-by: Cyclinder Kuo <kuocyclinder@gmail.com>

roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2

@@ -30,6 +30,8 @@ spec:
           operator: Exists
         - key: node-role.kubernetes.io/control-plane
           effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
 {% if policy_controller_extra_tolerations is defined %}
         {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
 {% endif %}
@@ -59,6 +61,8 @@ spec:
               - /usr/bin/check-status
               - -r
             periodSeconds: 10
+          securityContext:
+            runAsNonRoot: true
           env:
             - name: LOG_LEVEL
               value: {{ calico_policy_controller_log_level }}
@@ -68,6 +72,8 @@ spec:
             - name: DATASTORE_TYPE
               value: kubernetes
 {% else %}
+            - name: ENABLED_CONTROLLERS
+              value: policy,namespace,serviceaccount,workloadendpoint,node
             - name: ETCD_ENDPOINTS
               value: "{{ etcd_access_addresses }}"
             - name: ETCD_CA_CERT_FILE

roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2

@@ -19,19 +19,6 @@ rules:
       - watch
       - list
       - get
-  - apiGroups:
-    - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-    - networking.k8s.io
-    resources:
-      - networkpolicies
-    verbs:
-      - watch
-      - list
 {% elif calico_datastore == "kdd" %}
   # Nodes are watched to monitor for deletions.
   - apiGroups: [""]
@@ -67,6 +54,7 @@ rules:
       - blockaffinities
       - ipamblocks
       - ipamhandles
+      - tiers
     verbs:
       - get
       - list