[k8s] Fix issues with iotedged and edgeagent role bindings (Azure#1548)

Make sure iotedged role bindings is a superset of edgeagent's role  bindings.

EdgeAgent's role should not be cluster-admin.

edgelet/edgelet-kube/src/convert/to_k8s.rs

@@ -508,8 +508,8 @@ pub fn spec_to_role_binding(
         }),
         role_ref: api_rbac::RoleRef {
             api_group: "rbac.authorization.k8s.io".into(),
-            kind: "ClusterRole".into(),
-            name: "cluster-admin".into(),
+            kind: "Role".into(),
+            name: module_label_value.clone(),
         },
         subjects: vec![api_rbac::Subject {
             api_group: None,
@@ -807,8 +807,8 @@ mod tests {
         }
 
         assert_eq!(role_binding.role_ref.api_group, "rbac.authorization.k8s.io");
-        assert_eq!(role_binding.role_ref.kind, "ClusterRole");
-        assert_eq!(role_binding.role_ref.name, "cluster-admin");
+        assert_eq!(role_binding.role_ref.kind, "Role");
+        assert_eq!(role_binding.role_ref.name, "edgeagent");
 
         assert_eq!(role_binding.subjects.len(), 1);
         let subject = &role_binding.subjects[0];

kubernetes/charts/edge-kubernetes/templates/edge-rbac.yaml

@@ -42,6 +42,12 @@ rules:
     verbs: ["list", "create", "delete", "update"]
   - apiGroups: [""]
     resources: ["secrets", "serviceaccounts", "configmaps"]
+    verbs: ["list", "get", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["list", "create"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
     verbs: ["list", "get", "create", "update"]
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources: ["rolebindings"]
@@ -74,4 +80,4 @@ rules:
     verbs: ["list", "create"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
-    verbs: ["list", "get", "create", "update"]
+    verbs: ["list", "get", "create", "update"]