add manifests for rbac and psps

Allow cadvisor to run in clusters with PSPs enabled

deploy/kubernetes/base/cluserrole.yaml

@@ -0,0 +1,10 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cadvisor
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+    - cadvisor

deploy/kubernetes/base/cluserrolebinding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cadvisor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cadvisor
+subjects:
+- kind: ServiceAccount
+  name: cadvisor
+  namespace: cadvisor

deploy/kubernetes/base/daemonset.yaml

@@ -14,6 +14,7 @@ spec:
       labels:
         name: cadvisor
     spec:
+      serviceAccountName: cadvisor
       containers:
       - name: cadvisor
         image: k8s.gcr.io/cadvisor:v0.30.2

deploy/kubernetes/base/kustomization.yaml

@@ -1,5 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cadvisor
 commonLabels:
   app: cadvisor
 resources:
-- namespace.yaml
+- cluserrole.yaml
+- cluserrolebinding.yaml
 - daemonset.yaml
+- namespace.yaml
+- podsecuritypolicy.yaml
+- serviceaccount.yaml

deploy/kubernetes/base/podsecuritypolicy.yaml

@@ -0,0 +1,21 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cadvisor
+spec:
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+  allowedHostPaths:
+  - pathPrefix: "/"
+  - pathPrefix: "/var/run"
+  - pathPrefix: "/sys"
+  - pathPrefix: "/var/lib/docker"
+  - pathPrefix: "/dev/disk"

deploy/kubernetes/base/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cadvisor
+  namespace: cadvisor