Splits kuryr-controller and kuryr-cni ServiceAccounts

The same ServiceAccount was used for kuryr-controller and kuryr-cni.
This change splits the ServiceAccount, generates two ServiceAccounts,
controller_service_account.yaml and cni_service_account.yaml and
applies them.The documentation, Kuryr installation as kubernetes addon
network addon was also updated to reflect this change.

Change-Id: I567aaa38f5498af4641e06002b808915dd467aec
Closes-Bug: #1764783

devstack/lib/kuryr_kubernetes

@@ -417,11 +417,14 @@ data:
 EOF
 }
 
+# Generates kuryr-controller service account and kuryr-cni service account.
 function generate_kuryr_service_account() {
     output_dir=$1
     mkdir -p "$output_dir"
     rm -f ${output_dir}/service_account.yml
-    cat >> "${output_dir}/service_account.yml" << EOF
+    rm -f ${output_dir}/controller_service_account.yml
+    rm -f ${output_dir}/cni_service_account.yml
+    cat >> "${output_dir}/controller_service_account.yml" << EOF
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -482,6 +485,45 @@ roleRef:
   name: kuryr-controller
   apiGroup: rbac.authorization.k8s.io
 EOF
+
+    cat >> "${output_dir}/cni_service_account.yml" << EOF
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kuryr-cni
+  namespace: kube-system
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kuryr-cni
+rules:
+- apiGroups:
+  - ""
+  verbs: ["*"]
+  resources:
+    - pods
+    - nodes
+- apiGroups:
+    - openstack.org
+  verbs: ["*"]
+  resources:
+    - kuryrports
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kuryr-cni-global
+subjects:
+- kind: ServiceAccount
+  name: kuryr-cni
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: kuryr-cni
+  apiGroup: rbac.authorization.k8s.io
+EOF
 }
 
 function generate_controller_deployment() {
@@ -622,7 +664,7 @@ spec:
       - key: "node.kubernetes.io/not-ready"
         operator: "Exists"
         effect: "NoSchedule"
-      serviceAccountName: kuryr-controller
+      serviceAccountName: kuryr-cni
       containers:
       - name: kuryr-cni
         image: kuryr/cni:latest

devstack/plugin.sh

@@ -177,8 +177,11 @@ function run_containerized_kuryr_resources {
         "${k8s_data_dir}/certificates_secret.yml" \
         || die $LINENO "Failed to create kuryr-kubernetes certificates Secret."
     /usr/local/bin/kubectl create -f \
-        "${k8s_data_dir}/service_account.yml" \
-        || die $LINENO "Failed to create kuryr-kubernetes ServiceAccount."
+        "${k8s_data_dir}/controller_service_account.yml" \
+        || die $LINENO "Failed to create kuryr-controller ServiceAccount."
+    /usr/local/bin/kubectl create -f \
+        "${k8s_data_dir}/cni_service_account.yml" \
+        || die $LINENO "Failed to create kuryr-cni ServiceAccount."
 
     if is_service_enabled openshift-master; then
         # NOTE(dulek): For OpenShift add privileged SCC to serviceaccount.

doc/source/installation/containerized.rst

@@ -119,11 +119,12 @@ Example run:
 
    $ KURYR_K8S_API_ROOT="192.168.0.1:6443" ./tools/generate_k8s_resource_definitions.sh /tmp
 
-This should generate 5 files in your ``<output_dir>``:
+This should generate 6 files in your ``<output_dir>``:
 
 * config_map.yml
 * certificates_secret.yml
-* service_account.yml
+* controller_service_account.yml
+* cni_service_account.yml
 * controller_deployment.yml
 * cni_ds.yml
 
@@ -150,7 +151,8 @@ To deploy the files on your Kubernetes cluster run:
 
    $ kubectl apply -f config_map.yml -n kube-system
    $ kubectl apply -f certificates_secret.yml -n kube-system
-   $ kubectl apply -f service_account.yml -n kube-system
+   $ kubectl apply -f controller_service_account.yml -n kube-system
+   $ kubectl apply -f cni_service_account.yml -n kube-system
    $ kubectl apply -f controller_deployment.yml -n kube-system
    $ kubectl apply -f cni_ds.yml -n kube-system